[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: IPSEC Security Gateways & NAT
Derek and Jayant,
What if IKE packet is tunneled by encapsulating the UDP/IP?
It seems the ESPoUDP + IKEoUDP (for IPSec) will works fine with NAPT
under any circumstance?
--- David
-----Original Message-----
From: Derek Atkins [mailto:warlord@mit.edu]
Sent: Monday, June 11, 2001 11:08 AM
To: jshukla
Cc: ipsec@lists.tislabs.com
Subject: Re: IPSEC Security Gateways & NAT
Ok, yes, there is a problem with using pre-shared keys in main mode.
-derek
"jshukla" <jshukla@earthlink.net> writes:
> ----- Original Message -----
> From: "Derek Atkins" <warlord@mit.edu>
> > > HASH_I = pfr(SKEYID, g^xi | g^xr | CKY-I | CKY-R | SAi_b | IDii_b)
> >
> > Um, I don't see anything here that necessarily depends upon the IP
> > Address of either Initiator or Responder. Perhaps I am being dense,
> > but could you please point out the specific term to which you refer?
> > Keep in mind that the ID term is **NOT** necessarily tied to the IP
> > Address, as you can use many types of ID (such as FQDN) that are
> > "movable".
> >
>
> Isn't there a problem in using pre-shared keys for authentication in
> the main mode? The responder uses the IP address to look up the
> pre-shared key. Because of NAT, it may not be able to look up the
> correct pre-shared key?! If you use aggressive mode, you can overcome
> this problem, but the authors of ESPinUSP proposal use the main
> mode in their example.
>
> regards,
> Jayant
>
>
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available
Follow-Ups: