[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Passing IPSec VPN traffic through a Port-masquerading firewal l
enabling end-to-end ipsec traffic (among other things) across NAT boxes
(also known as ip masquerading) is the subject of
http://www.ietf.org/internet-drafts/draft-montenegro-aatn-nar-01.txt
In particular, you might be interested in section 2.6.2 (IPSEC Handling
and Demultiplexing).
I also gave a presentation at the last ipsec meeting on precisely the
issue that worries you, and hopefully it helps outlining what needs to
be done. my presentation was couched in terms of a framework and does
not talk about any specific negotiation or signalling mechanism between
the client and the nar box.
The presentation is available from:
http://playground.sun.com/~gab/talks/ipsec-nat-issues.PDF
Three different types of signalling schemes have been proposed
so far for similar applications. one is proposed in my draft above, in
which i extend socks for the negotiation phase *only*.
the other two are UDP based and are proposed in these drafts:
Host NAT:
http://www.ietf.org/internet-drafts/draft-ietf-nat-hnat-00.txt
Distributed NAT:
http://search.ietf.org/internet-drafts/draft-borella-aatn-dnat-01.txt
this type of end-to-end application across "nat" boxes is being discussed
by the nat working group:
http://www.ietf.org/html.charters/nat-charter.html
hope this helps,
-gabriel
References: