RE: Passing IPSec VPN traffic through a Port-masquerading firewal l

[Gabriel Montenegro <gab@Eng.Sun.Com>]

enabling end-to-end ipsec traffic (among other things) across NAT boxes
(also known as ip masquerading) is the subject of 

  http://www.ietf.org/internet-drafts/draft-montenegro-aatn-nar-01.txt

In particular, you might be interested in section 2.6.2 (IPSEC Handling 
and Demultiplexing).

I also gave a presentation at the last ipsec meeting on precisely the
issue that worries you, and hopefully it helps outlining what needs to
be done. my presentation was couched in terms of a framework and does
not talk about any specific negotiation or signalling mechanism between 
the client and the nar box. 

The presentation is available from:

  http://playground.sun.com/~gab/talks/ipsec-nat-issues.PDF

Three different types of signalling schemes have been proposed
so far for similar applications. one is proposed in my draft above, in
which i extend socks for the negotiation phase *only*.

the other two are UDP based and are proposed in these drafts:

  Host NAT:
	http://www.ietf.org/internet-drafts/draft-ietf-nat-hnat-00.txt

  Distributed NAT:
	http://search.ietf.org/internet-drafts/draft-borella-aatn-dnat-01.txt

this type of end-to-end application across "nat" boxes is being discussed
by the nat working group:

   http://www.ietf.org/html.charters/nat-charter.html

hope this helps,

-gabriel

---

References:

• RE: Passing IPSec VPN traffic through a Port-masquerading firewall
• From: "Brothers, John" <johnbr@elastic.com>

---

• Prev by Date: RE: Passing IPSec VPN traffic through a Port-masquerading firewall
• Next by Date: ISAKMP Query
• Prev by thread: RE: Passing IPSec VPN traffic through a Port-masquerading firewall
• Next by thread: esp and ah introduction material
• Index(es):
  • Main
  • Thread