[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: IPSec Passthrough

To: Mark Siler <msiler@hcin.net>
Subject: Re: IPSec Passthrough
From: Vinay K Nallamothu <vinay-rc@naturesoft.net>
Date: 01 May 2003 11:40:03 +0530
Cc: ipsec@lists.tislabs.com
In-Reply-To: <1772A2E865ABD411B18900508BB1B88F05ED7D8C@SVARLEXC07>
References: <1772A2E865ABD411B18900508BB1B88F05ED7D8C@SVARLEXC07>
Sender: owner-ipsec@lists.tislabs.com

On Wed, 2003-04-30 at 20:37, Mark Siler wrote:
> I'm curious on how IPSec passthrough works.  I know AH prevents a
> traditional NAT from occurring, but how do the SOHO routers (Linksys,
> D-Link, Ascend, etc) accomplish the IPSec passthrough?

These devices track the IPsec connections by looking at the SPI in
IKE/ESP headers.

When they first see the IKE packets from the client behind the NAT they
note down the SPI value, client address and then masquarade the packet
as usual with its own IP.

When they see the packets from the remote IPsec peer, it looks into the
table using SPI and replaces the destination with client's IP.

This mechanism works only with ESP and not with AH which is fine as most
of the road warriors connect to IPsec gateways.

You can get more details about this in sections 9.0 to 9.3 of
draft-ietf-ipsec-ikev2-tutorial-01.txt.

>  Do they
> encapsulate the entire IPSec packet from the client?
No

>  I keep reading
> about a Transparent Mode and Tunnel Mode,
For NAT-T unware IPsec peers, the above mentioned mechanism is not
visible and hence called transparent. Further this works only when the
client behind the NAT is a road warrior.

vinay

Follow-Ups:
- Re: IPSec Passthrough
  - From: Joshua Graessley <jgraessley@apple.com>

Next by Date: IPSec iterated tunneling
Next by thread: Re: IPSec Passthrough
Index(es):
- Date
- Thread