[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Initial Contact Message processing
On Tue, Jan 13, 2004 at 03:13:59PM -0800, vamsi wrote:
>
> Hi,
> We found one problem during inter operability testing and I thought
> I will inform to the list for feedback.
>
> It seems that some implementations, while processing IC message,
> delete all IPSEC and IKE SAs that correspond to source IP address of
> the IC message.
>
> This works well, in most of the scenarios, but fails to work when there
> are more than one Security Gateway or Clients behind a NAT gateway.
> For instance, take this example:
This is a pretty dubious way to use IKE. That aside for the moment,
it seems to me to be only one of a number of reasons why implementations
should track the _port_ they receive the initial message of a conversation
from, not just the source IP address.