[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Another NAT Traversal question

To: ipsec@lists.tislabs.com
Subject: Re: Another NAT Traversal question
From: Joern Sierwald <joern@f-secure.com>
Date: Wed, 19 Mar 2003 09:21:17 +0100
In-Reply-To: <3E781036.3020603@roc.co.in>
References: <200302260015.h1Q0FDof060239@givry.rennes.enst-bretagne.fr>
Sender: owner-ipsec@lists.tislabs.com

At 12:07 19.03.2003 +0530, you wrote:
>IKEv2 is being defined fresh. Why can't we use port 500 for the purpose of
>      NAT Traversal. If we make this packet also containing first four 
> bytes after
>      UDP header as 0s in case of IKE packet, then there is no need for 
> port 4500
>
>Regards,
>Ravi

Well. Routers doing NAT reassign ports. In goes src/dst 53/53, out goes
src/dst 1025/53 or something. On the return packets, the port number are
changed back. You know that.

The problem is that over 50% of all router DO NOT DO THAT if the port is 500
the keep the 500/500 mapping. Many small vendors do that. But even the
current (February) Cisco IOS does that. And there is no way to switch it
off.

If you run IKE through a NAT box, the IKE client software can't use
port 500. Using a random port >1023 works fine. But then the client
can't be responder anymore....

the port 500 is spoiled, sorry, and it has to go.

J–rn

References:
- Re: Another NAT Traversal question
  - From: ravi <ravivsn@roc.co.in>

Prev by Date: Re: IKEv2: prepending four octets
Next by Date: Newbie ESP Question
Prev by thread: Re: Another NAT Traversal question
Next by thread: RE: CP(CFG_REQUEST) required?
Index(es):
- Date
- Thread