[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Ipsec] RFC 3715 / IPsec NAT Compatibility
Kevin Li wrote:
> Hi,
>
> Does IKEv2 have similar limitation?
> I.e. IP address shouldn't be used as the identifier when there is NAT.
The problem is you won't always know there's a NAT between you and the peer.
> BTW, why such limitation while IKE has the authentication in place?
IKE ties some authentication material to an identity. In some cases, the
identity can be an IP address. The problem occurs when the address changes
unexpectedly (as is the case when NAT is involved).
-g
> Thanks.
>
> Kevin Li
>
> ================== Quote from RFC3715/page 4/(c)
>
> c) Incompatibility between IKE address identifiers and NAT. Where IP
> addresses are used as identifiers in Internet Key Exchange
> Protocol (IKE) Phase 1 [RFC2409] or Phase 2, modification of the
> IP source or destination addresses by NATs or reverse NATs will
> result in a mismatch between the identifiers and the addresses in
> the IP header. As described in [RFC2409], IKE implementations are
> required to discard such packets.
> ...
>
> Bob Arthurs wrote:
>
>> Hi Folks,
>>
>> Quick question about RFC 3715 - on page 4 (c) the RFC mentions
>> incompatibility between IKE address identifiers and NAT.
>>
>> Would I be right in saying that this incompatibility occurs only in
>> transport mode when using IP addresses as phase 1 identifiers, and
>> when the source address of ISAKMP packets is checked against the
>> traffic selectors carried as identifiers in phase 2 ?? Or have I
>> completely missed the point :)
>>
>> Many thanks in advance.
>
>
>
>
> _______________________________________________
> Ipsec mailing list
> Ipsec@ietf.org
> https://www1.ietf.org/mailman/listinfo/ipsec
_______________________________________________
Ipsec mailing list
Ipsec@ietf.org
https://www1.ietf.org/mailman/listinfo/ipsec