[IPsec] IKEv2 NAT-T and Traffic Selectors

From: Matthew Cini Sarreo <mcins1_at_nospam>
Date: Tue Sep 22 2009 - 08:15:35 GMT
To: ipsec@ietf.org

Hello all,

I have a question regarding proper choosing of traffic selectors in the situation where an initator is behind a NAT device. Let us use the following scenario: [initiator@A]--[NAT@X]----------------[responder@Y]

Say A is 192.168.2.22, X is 192.168.3.5 and Y is 192.168.4.25, and all have a 24bit mask. The initiator policy requires traffic selectors for the whole subnet. In the case that A is initiating: TSi 192.168.2.0 to 192.168.2.255
TSr 192.168.4.0 to 192.168.4.255

Y does not know about 192.168.2.* but only about 192.168.3.*. So when it receives TSi it does not match with anything it knows about. Should the responder just accept these due to NAT being previously detected, or should the initiator send selectors with address A (TSi) and Y (TSr) and due to there being NAT the responder just copy them in the reply?

Regards,
Matt

IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

This message: [ Message body ]
Next message: Tero Kivinen: "Re: [IPsec] #28: Obtaining src/dest IP addresses for UDP-encapsulated transport mode ESP"
Previous message: Matthew Cini Sarreo: "Re: [IPsec] #22 Simultaneous IKE SA rekey text"
Next in thread: Tero Kivinen: "[IPsec] IKEv2 NAT-T and Traffic Selectors"
Reply: Tero Kivinen: "[IPsec] IKEv2 NAT-T and Traffic Selectors"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]