[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: NAT Traversal

To: "'Derek Atkins'" <derek@ihtfp.com>
Subject: RE: NAT Traversal
From: "Jayant Shukla" <jshukla@trlokom.com>
Date: Mon, 25 Feb 2002 08:10:11 -0800
Cc: <ipsec@lists.tislabs.com>
Importance: Normal
In-Reply-To: <sjmwux3y0w2.fsf@kikki.mit.edu>
Sender: owner-ipsec@lists.tislabs.com


> 
> My point is that what you are complaining about, NAT-T v. RSIP, isn't
> an issue, 

How do you know it's not an issue? Read the minutes of SLC meeting
first.

> because the client would know not to use NAT-T if they are
> using RSIP.  Considering the client needs to be aware of (and involved
> in) the RSIP negotiation, they can easily not perform the NAT-T
> negotiation, too.
> 
> 
> -derek
> 


What makes you think the client is involved? IPsec pass-thru implemented
in most low end NAT boxes is not complete RSIP as that would require
modifications to client and the gateway. 

The simplification is that the client and gateway do not have to agree
upon the cookie or SPI value. With this simplification the client has to
do nothing about NAT traversal. There can be a problem (although
unlikely) if two clients try to connect to the same domain. That is the
reason manufacturers say these boxes support multiple client pass-thru
sessions, but only one VPN session per VPN tunnel "terminator". 

So the client cannot just choose to use IPsec pass-thru or NAT-T. If you
have one of these IPsec pass-thru routers, you have problem with NAT-T.

Regards,
Jayant

Follow-Ups:
- Re: NAT Traversal
  - From: "Derek Atkins" <derek@ihtfp.com>

References:
- Re: NAT Traversal
  - From: Derek Atkins <derek@ihtfp.com>

Prev by Date: Re: Length of pre-shared key
Next by Date: Re: NAT Traversal
Prev by thread: Re: NAT Traversal
Next by thread: Re: NAT Traversal
Index(es):
- Date
- Thread