RE: Clarification of potential NAT multiple client solutions

[Sami Vaarala <svaarala@yahoo.com>]

Hi,

> > Given #2, this 
> > means they may only support 1 IPsec client behind the NAT, or 
> > they have to inhibit a new outbound IKE Main Mode SA (with 
> > responder cookie = 0 specifically) until they see an inbound 
> > ESP SPI they don't recognize.  
> 
> 	This is not true! You do realize that IKE sessions can be 
> 	demultiplexed based on cookies?
> 
> 	For IPsec messages, all the NAT gateway has to do is to allow 
> 	the first outbound IPsec packet and inhibit new outbound IPsec 
> 	connections until the first host to start an IPsec connection 
> 	receives a reply. 
>[snip]

Just out of curiosity, could you explain what happens if:

 1. there is no inbound traffic at all (i.e. a unidirectional protocol)?

 2. there is inbound traffic but it takes a long time before it starts?

 3. an attacker spoofs an IPsec packet with all fields otherwise as the
    NAT expects, but with a bogus SPI?  (This packet would of course have
    to arrive before any proper response packet would reach the NAT.)

Best regards,

-Sami

--
Sami Vaarala
Senior System Architect
Netseal


__________________________________________________
Do You Yahoo!?
Yahoo! Health - Feel better, live better
http://health.yahoo.com