[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: IPSEC Security Gateways & NAT
Derek,
My explanation:
1. IKE
Problem:
1) Today's IKE using UDP/IP to exchnage packet.
2) It can not traverse through NAPT device due to the
addresses are used for ID (and protected) and
the addresses/ports are changed by the NAPT device.
Solution:
The idea to use yet another UDP/IP header is to shied the IKE packet from
NAPT device.
It will require the IKE deamon to encapsulate/de-encapsulate the outer
UDP/IP header before
processing today's IKE packets.
If no NAPT device in between IPSec peers, it will be redundant.
2. IPSec data channel:
The packet's format is:
IPHeader, Transport header, AH, ESP, IP Header, IP payload.
It constructs this packet (with header mapping) at the time of encryption,
not after ESP is done.
Regards,
--- David
Follow-Ups: