Re: [Ipsec] VID for nat traversal

[Joern Sierwald <joern@f-secure.com>]

At 09:53 28.04.2004 +0200, Mathieu Lafon wrote:
>Openswan (and others FreeS/WAN forks) support following VIDs :
>
>md5("draft-ietf-ipsec-nat-t-ike-00")
>md5("draft-ietf-ipsec-nat-t-ike-01")
>         no port floating
>         NAT-D 130, NAT-OA 131, UDP-Tunnel 61443, UDP-Transport 61443
>
>md5("draft-ietf-ipsec-nat-t-ike-02")
>md5("draft-ietf-ipsec-nat-t-ike-02\n") [1]
>md5("draft-ietf-ipsec-nat-t-ike-03")
>         port floating (udp/4500)
>         NAT-D 130, NAT-OA 131, UDP-Tunnel 61443, UDP-Transport 61443
>
>The code for following drafts (NAT-D 15, NAT-OA 16, UDP-Tunnel 3,
>UDP-Transport 4) is in the code but not enabled by default because
>we have no official VID to negociate it.
>
>I use md5("Testing NAT-T RFC") to test it but it's not sent during
>negociation.
>
>[1]: http://www.sandelman.ottawa.on.ca/ipsec/2002/04/msg00233.html
>
>--
>Mathieu Lafon - Arkoon Network Security

I have changed the implementation of F-Secure VPN+ 5.60 to match with the
system above. Tero had a very good point when he said that drafts 4 to 8 
can't be used at
all outside a lab, as the payload IDs are wrong.

Also, as a warning or implementation note, VPN+ does not support floating 
the port to 4500.
A negotiation must start with 4500. That's not a problem for our client, as 
this is an allowed behaviour, but
if anybody trying to use a client which connect to port 500 first, we only 
answer to VID 00, not
02 or 03. (genius, isn't it).

Jörn


_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec