Re: NAT and IPsec

["Jari Arkko" <jari.arkko@kolumbus.fi>]

Joern writes:

> It should be noted that our (huttunen) scheme is a simple as
> it possibly can be.
> 
> There are a lot of thoughts in the draft, but you have to 
> make it work for yourself. It mentions transport mode, yes.
> But we don't even have that ourselves.
> 
> You want to configure it, not negotiate it?
> Well, you have to configure it in order to negotiate it, right.
> The only change in negotiation is the 61440 number.
> You don't _have_ to use the VID... It says "SHOULD" in the draft.
> You can use a configuation switch instead.

Yes, but even if I don't skip any functionality and want to retain
the negotiation possibility, do I really need the VIDs? Wouldn't
just the 61440 do? Or just the detection that the IKE packets
seem to have gone through a NAT, and that the initiator is
sending stuff encapsulated to the port 2797?

> >* Would it be simpler to just use a client-initiated
> >  ping as needed rather than a special-case heartbeat
> >  packets as in two of the drafts?
> 
> There are two UDP ports here... IKE and ESPoverUDP.
> With the ping you only keep ESPoverUDP alive.

Ah. Yes. Does somebody have an idea how long a large NAT's UDP
session storage lasts, typically?

Note that if you were to encapsulate both IKE and ESP to the
same UDP port number (2797) then there'd be a need to keep
just that alive, either with the ping or with the empty IKE message
you suggested.

Jari

---

Follow-Ups:

• Re: NAT and IPsec
• From: Markus Stenberg <markus.stenberg@ssh.com>
• Re: NAT and IPsec
• From: Ari Huttunen <Ari.Huttunen@F-Secure.com>

References:

• Re: NAT and IPsec
• From: Joern Sierwald <joern.sierwald@F-Secure.com>

---

• Prev by Date: RE: I-D ACTION:draft-ietf-ipsec-ike-modp-groups-00.txt
• Next by Date: RE: I-D ACTION:draft-ietf-ipsec-ike-modp-groups-00.txt
• Prev by thread: Re: NAT and IPsec
• Next by thread: Re: NAT and IPsec
• Index(es):
  • Main
  • Thread