RE: Passing IPSec VPN traffic through a Port-masquerading firewall

["Brothers, John" <johnbr@elastic.com>]

> First, port 500 is associated with IKE, but not AH or ESP.  These
> protocols, used for transit traffic security, have their own protocol IDs
> (50 and 51), and have no port numbers per se, unlike TCP or UDP.
> Depending
> on the security service selected, you might be able to see real port
> numbers, but since you can't count on that in all cases, it probably is
> not
> a useful heuristic.
> 
	[Brothers, John]  Right.  I should be able to view the SPI, though,
correct?

> I don't understand your reference to the sequence numbers in packets.
> Each
> packet protected with AH or ESP will have an increasing sequence number,
> but there is no guarantee that all packets will be delivered in order, so
> you may see gaps.  Also, since everyone uses the same sequence number
> space, what approach do you envision for using these values to demux
> individual user SAs?
	[Brothers, John]  I was trying to provoke some discussion by
throwing out
	a random idea.  Basically, the gist of what I've found is that the
sequence
	number is not a good idea, but the SPI may be.

	Thanks for your input,


		John


> Steve

---

Follow-Ups:

• RE: Passing IPSec VPN traffic through a Port-masquerading firewal l
• From: Gabriel Montenegro <gab@Eng.Sun.Com>

---

• Prev by Date: Re: Passing IPSec VPN traffic through a Port-masquerading firewall
• Next by Date: RE: Passing IPSec VPN traffic through a Port-masquerading firewal l
• Prev by thread: RE: Passing IPSec VPN traffic through a Port-masquerading firewall
• Next by thread: RE: Passing IPSec VPN traffic through a Port-masquerading firewal l
• Index(es):
  • Main
  • Thread