RE: NAT-Traversal

["Jayant Shukla" <jshukla@trlokom.com>]

> -----Original Message-----
> From: owner-ipsec@lists.tislabs.com 
> [mailto:owner-ipsec@lists.tislabs.com]
> On Behalf Of Lokesh
> Hi all,
> I think NAT - Traversal fails if user configures IKE with Main mode
and
> Authentication method as
> Preshared keys.

Yes it is a known problem with NAT-T and it cannot be fixed because the
IP addresses are sent after the authentication is done. There is an
issue with certificates as well because of the IKE packet fragmentation.


My personal opinion is that the NAT-T solution should be abandoned as it
is flawed. Over the last two years several problems have been pointed
out and the NAT-T ID keeps changing. A short while ago it was heavily
criticized (after it made it to last call) and has since been modified
(again)! Even so, the latest draft has several problems.  

> How to proceed?

We have a working and tested solution that overcomes the pre-shared key
problem as well as the certificate problem. We are going to show our
solution at N+I 2002, 7th -9th May. 

Nobody seems to notice, but NAT traversal can be achieved without
modifying IKE and without tunneling IPsec data through the IKE port. Not
relying on IKE for NAT Traversal makes it a much more general solution
and can be used elsewhere as well. 

Plus, there are several other advantages like true end-to-end security
and there is no need for nested tunnels. The same solution can be
applied to IP and mobile IP networks. Try that with NAT-T! 

Regards,
Jayant
Booth # 7981, N+I Las Vegas 2002
www.trlokom.com