IDci and IDcr payloads with NAT Traversal

[Tero Kivinen <kivinen@iki.fi>]

David Wierbowski writes:
> I have a question about the ID payloads exchanged in Quick Mode
> when NAT Traversal is being utilized in the following scenario:
> 
> HOST A ----> GW ----> GW's NAT ----> B's NAT ----> HOST B
> 10.1.1.123   10.1.1.1                              10.2.2.2
> 
> 
> Where:
> - The private address for HOST A is 10.1.1.123
> - The private address for GW is 10.1.1.1
> - GW's NAT translates 10.1.1.1. to x.x.x.x
> 
> - The private address for HOST B is 10.2.2.2
> - B's NAT translates 10.2.2.2 to y.y.y.y
> 
> - GW is trying to create a phase 2 SA with HOST B
>   to protect traffic between HOST A and HOST B
> 
> My questions are:
> - is this a valid scenario?

Yes, but the discovery of the y.y.y.y or x.x.x.x is outside the scope
of the NAT-T. Lets assume that y.y.y.y is static, known and configured
to the GW (if the GW is the initiator, as it seems in your case).

> - if it is, then what IP addresses should be utilized in IDci and IDcr?

The GW can use IDci = 10.1.1.123 and IDcr = 10.2.2.2, and it needs to
know the 10.2.2.2 from the configuration. I.e. the GW's configuration
would be:

	src = 10.1.1.123, dst = 10.2.2.2,
		enable Tunnel mode NAT-T to address y.y.y.y. 

If there would be overlaps (i.e. host B would also have IP-address of
10.1.1.123, then GW would need to do some kind of NAT for the packets
from host B it sends to the host A).
-- 
kivinen@safenet-inc.com