[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Passing IPSec VPN traffic through a Port-masquerading firewall

To: "Brothers, John" <johnbr@elastic.com>
Subject: Re: Passing IPSec VPN traffic through a Port-masquerading firewall
From: Stephen Kent <kent@bbn.com>
Date: Thu, 14 Jan 1999 14:25:39 -0500
Cc: "'ipsec@tis.com'" <ipsec@tis.com>
In-Reply-To: <9DBF3C44F94BD2119C4400105A16BC7F021DBE@MAILMAN>
Sender: owner-ipsec@ex.tis.com

John,

First, port 500 is associated with IKE, but not AH or ESP.  These
protocols, used for transit traffic security, have their own protocol IDs
(50 and 51), and have no port numbers per se, unlike TCP or UDP.  Depending
on the security service selected, you might be able to see real port
numbers, but since you can't count on that in all cases, it probably is not
a useful heuristic.

I don't understand your reference to the sequence numbers in packets.  Each
packet protected with AH or ESP will have an increasing sequence number,
but there is no guarantee that all packets will be delivered in order, so
you may see gaps.  Also, since everyone uses the same sequence number
space, what approach do you envision for using these values to demux
individual user SAs?

Steve

References:

Passing IPSec VPN traffic through a Port-masquerading firewall

From: "Brothers, John" <johnbr@elastic.com>

Prev by Date: Re: Can ID be different than SubjectAltName field oftheCertificate
Next by Date: RE: Passing IPSec VPN traffic through a Port-masquerading firewall
Prev by thread: Passing IPSec VPN traffic through a Port-masquerading firewall
Next by thread: RE: Passing IPSec VPN traffic through a Port-masquerading firewall
Index(es):
- Main
- Thread