Re: NAT and IPsec

["Jari Arkko" <jari.arkko@kolumbus.fi>]

Marcus writes about why there is a need to use exactly the IKE port:

>It is simply easier to deploy - as IKE will be used on the port in any
>case, the approach of 'if IKE works, IPsec works also' makes it a lot
>easier to cope with.
> ...
> Admittedly, most firewall configrations are (remote=500,local=500) but I
> think that anything that can simplify the end user experience without
> excessive cost should be done in this type of technology. IPsec as-is
> should be as transparent to end user as possible, and I believe the way of
> traversaing NAT should be the same.

Well... just to be clear on this: in order to make [Stenberg] work we most
likely need to modify the firewall policy to (remote=*,local=500). In order
to make [Huttunen] work, we need to modify the policy to (remote=*,local=500,
2796). In both cases the firewall administrator and the user have a direct
business relationship and making modifications in theory should be possible.
I know this doesn't always hold in practise. But if a modification is needed
most likely anyway...? And we're paying a substantial per-packet overhead
to use the IKE port...?

Jari

---

References:

• NAT and IPsec
• From: Jari Arkko <Jari.Arkko@lmf.ericsson.se>
• Re: NAT and IPsec
• From: Markus Stenberg <markus.stenberg@ssh.com>
• Re: NAT and IPsec
• From: Jari Arkko <Jari.Arkko@lmf.ericsson.se>
• Re: NAT and IPsec
• From: Markus Stenberg <mstenber@ssh.com>

---

• Prev by Date: RE: NAT and IPsec
• Next by Date: Re: NAT and IPsec
• Prev by thread: Re: NAT and IPsec
• Next by thread: Re: NAT and IPsec
• Index(es):
  • Main
  • Thread