[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: NAT and IPsec
Joern writes:
> It should be noted that our (huttunen) scheme is a simple as
> it possibly can be.
>
> There are a lot of thoughts in the draft, but you have to
> make it work for yourself. It mentions transport mode, yes.
> But we don't even have that ourselves.
>
> You want to configure it, not negotiate it?
> Well, you have to configure it in order to negotiate it, right.
> The only change in negotiation is the 61440 number.
> You don't _have_ to use the VID... It says "SHOULD" in the draft.
> You can use a configuation switch instead.
Yes, but even if I don't skip any functionality and want to retain
the negotiation possibility, do I really need the VIDs? Wouldn't
just the 61440 do? Or just the detection that the IKE packets
seem to have gone through a NAT, and that the initiator is
sending stuff encapsulated to the port 2797?
> >* Would it be simpler to just use a client-initiated
> > ping as needed rather than a special-case heartbeat
> > packets as in two of the drafts?
>
> There are two UDP ports here... IKE and ESPoverUDP.
> With the ping you only keep ESPoverUDP alive.
Ah. Yes. Does somebody have an idea how long a large NAT's UDP
session storage lasts, typically?
Note that if you were to encapsulate both IKE and ESP to the
same UDP port number (2797) then there'd be a need to keep
just that alive, either with the ping or with the empty IKE message
you suggested.
Jari
Follow-Ups:
References: