|Main Archive Page > Month Archives > ipsec archives|
I have a question regarding proper choosing of traffic selectors in the situation where an initator is behind a NAT device. Let us use the following scenario: [initiator@A]--[NAT@X]----------------[responder@Y]
Say A is 192.168.2.22, X is 192.168.3.5 and Y is 192.168.4.25, and all have
a 24bit mask. The initiator policy requires traffic selectors for the whole
subnet. In the case that A is initiating:
TSi 192.168.2.0 to 192.168.2.255
TSr 192.168.4.0 to 192.168.4.255
Y does not know about 192.168.2.* but only about 192.168.3.*. So when it receives TSi it does not match with anything it knows about. Should the responder just accept these due to NAT being previously detected, or should the initiator send selectors with address A (TSi) and Y (TSr) and due to there being NAT the responder just copy them in the reply?