If a network employs NAT and IPsec, which combination is likely to cause connectivity problems?

NAT can break IPsec because NAT changes the IP header and, in some cases, the port numbers as packets cross the network, while IPsec relies on those headers being unaltered to verify and secure the communication. Specifically, AH protects the IP header, so any modification by NAT causes the integrity check to fail and the packet to be dropped. ESP encrypts the payload, but the outer IPsec tunnel header can still be distorted by NAT, preventing the tunnel from being established correctly. NAT traversal (NAT-T) solves this by encapsulating IPsec in UDP, allowing NAT devices to modify only UDP ports without breaking the IPsec integrity, which is why NAT without NAT-T tends to produce connectivity problems. The other statements aren’t generally true in practice: IPsec can work behind packet filters if the necessary protocols and ports are allowed, and stateful firewalls can cooperate with IPsec as long as they’re configured properly.