[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Another NAT Traversal question
At 12:07 19.03.2003 +0530, you wrote:
>IKEv2 is being defined fresh. Why can't we use port 500 for the purpose of
> NAT Traversal. If we make this packet also containing first four
> bytes after
> UDP header as 0s in case of IKE packet, then there is no need for
> port 4500
>
>Regards,
>Ravi
Well. Routers doing NAT reassign ports. In goes src/dst 53/53, out goes
src/dst 1025/53 or something. On the return packets, the port number are
changed back. You know that.
The problem is that over 50% of all router DO NOT DO THAT if the port is 500
the keep the 500/500 mapping. Many small vendors do that. But even the
current (February) Cisco IOS does that. And there is no way to switch it
off.
If you run IKE through a NAT box, the IKE client software can't use
port 500. Using a random port >1023 works fine. But then the client
can't be responder anymore....
the port 500 is spoiled, sorry, and it has to go.
J–rn