IPSec transport inbound with NAT-T enabled need to update TCP/UDP checksum

Both TCP & UDP checksum use pseudo header which include source and destination address.
In transport mode, there is only one IP header. If source or destination IP is changed by NAT, the TCP/UDP checksum in IPSec data needs to be updated, or the L4 integrity check will fail



Refer to NAT-Traversal
http://mkl-note.blogspot.tw/2011/12/nat-traversal.html