On 11/12/24 01:24, Lew Wolfgang wrote:
Sorry I'm late to reply. I don't know about VoIP, but Zoom, Teams, Signal, and others work quite well on NAT subnets. Regarding IPSec, I'm using an Aruba Remote Access Point (RAP) to connect to my employer's network. It's sort of like a hardware VPN. I think it uses IPSec, and it works fine on my IPv4 NAT subnet.
VoIP requires a public address. STUN is used to fudge that with NAT. On the other hand, Zoom, etc. work with a server, which is the only part that requires a public address. It isn't all of IPSec that breaks, only authentication headers, which verify the headers haven't been tampered with. NAT, by design, tampers with the headers.
I don't think that SLI requires deep packet inspection. The destination IP is right there where it should be. The server hostname parsing would be done at the destination, not at routing nodes. With SNI, DNS serves sort of like the router.
What about carrier grade NAT? Those routers are not at the destination, but would still have to do SLI, if it's to work. Also, on large networks, the router and firewall are often separate boxes.