[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: IPSEC Security Gateways & NAT



Derek,

My explanation:
1. IKE
Problem:
1) Today's IKE using UDP/IP to exchnage packet.
2) It can not traverse through NAPT device due to the
addresses are used for ID (and protected) and 
the addresses/ports are changed by the NAPT device. 

Solution:
The idea to use yet another UDP/IP header is to shied the IKE packet from
NAPT device.
It will require the IKE deamon to encapsulate/de-encapsulate the outer
UDP/IP header before 
processing today's IKE packets.

If no NAPT device in between IPSec peers, it will be redundant.

2. IPSec data channel:
The packet's format is:
IPHeader, Transport header, AH, ESP, IP Header, IP payload.
It constructs this packet (with header mapping) at the time of encryption,
 not after ESP is done.



Regards,

--- David



Follow-Ups: