[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: INITIAL-CONTACT issues

To: Alex Alten <Alten@home.com>
Subject: Re: INITIAL-CONTACT issues
From: "Scott G. Kelly" <skelly@redcreek.com>
Date: Fri, 07 May 1999 09:13:40 -0700
CC: Sankar Ramamoorthi <Sankar@vpnet.com>, ipsec@lists.tislabs.com
Organization: RedCreek Communications
References: <D899E9E27BE9D211842200805FA67B43016E4A@vpnet.com> <3.0.3.32.19990506221537.00bbb100@mail>
Sender: owner-ipsec@lists.tislabs.com

<recipient list trimmed, as Steve Kent opted out several posts back...>

Alex Alten wrote:
> 
> I have some questions for the WG.
> 
> Has anyone had deployment experience with IKE?

Lots of us have.

> Do actual customers like it running over UDP?

Many don't know what UDP is, much less care. Also, in my experience most
have no idea what protocol IKE runs over.

> Is there any resistance with opening an IKE UDP
> port in firewalls?
> 

Yes, some, and this applies to esp and ah as well as udp/ike. There are
basically 3 cases for deployment: (1) the SAs run through the firewall
to hosts inside, (2) the SAs terminate at the firewall, and (3) the
ipsec device is in front of the firewall, so the firewall never sees
ipsec traffic. The only time the hole is an issue is for case 1.

Scott

Follow-Ups:

Re: INITIAL-CONTACT issues

From: "Rodney Thayer" <rodney@ssh.fi>

References:

RE: INITIAL-CONTACT issues

From: Sankar Ramamoorthi <Sankar@vpnet.com>

Re: INITIAL-CONTACT issues

From: Alex Alten <Alten@home.com>

Prev by Date: Re: INITIAL-CONTACT issues
Next by Date: Re: INITIAL-CONTACT issues
Prev by thread: Re: INITIAL-CONTACT issues
Next by thread: Re: INITIAL-CONTACT issues
Index(es):
- Main
- Thread