[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Passing IPSec VPN traffic through a Port-masquerading firewall
> First, port 500 is associated with IKE, but not AH or ESP. These
> protocols, used for transit traffic security, have their own protocol IDs
> (50 and 51), and have no port numbers per se, unlike TCP or UDP.
> Depending
> on the security service selected, you might be able to see real port
> numbers, but since you can't count on that in all cases, it probably is
> not
> a useful heuristic.
>
[Brothers, John] Right. I should be able to view the SPI, though,
correct?
> I don't understand your reference to the sequence numbers in packets.
> Each
> packet protected with AH or ESP will have an increasing sequence number,
> but there is no guarantee that all packets will be delivered in order, so
> you may see gaps. Also, since everyone uses the same sequence number
> space, what approach do you envision for using these values to demux
> individual user SAs?
[Brothers, John] I was trying to provoke some discussion by
throwing out
a random idea. Basically, the gist of what I've found is that the
sequence
number is not a good idea, but the SPI may be.
Thanks for your input,
John
> Steve
Follow-Ups: