ipsec September 2009 archive
Main Archive Page > Month Archives  > ipsec archives
ipsec: [IPsec] IKEv2 NAT-T and Traffic Selectors

[IPsec] IKEv2 NAT-T and Traffic Selectors

From: Tero Kivinen <kivinen_at_nospam>
Date: Tue Sep 22 2009 - 12:01:59 GMT
To: Matthew Cini Sarreo <mcins1@gmail.com>


Matthew Cini Sarreo writes:
> Hello all,
>
> I have a question regarding proper choosing of traffic selectors in the
> situation where an initator is behind a NAT device. Let us use the following
> scenario:
>
> [initiator@A]--[NAT@X]----------------[responder@Y]
>
> Say A is 192.168.2.22, X is 192.168.3.5 and Y is 192.168.4.25, and all have
> a 24bit mask. The initiator policy requires traffic selectors for the whole
> subnet. In the case that A is initiating:
> TSi 192.168.2.0 to 192.168.2.255
> TSr 192.168.4.0 to 192.168.4.255

As these are subnets, I assume this is tunnel mode not transport mode.

> Y does not know about 192.168.2.* but only about 192.168.3.*. So when it
> receives TSi it does not match with anything it knows about. Should the
> responder just accept these due to NAT being previously detected, or should
> the initiator send selectors with address A (TSi) and Y (TSr) and due to
> there being NAT the responder just copy them in the reply?

The Y should be configured to accept 192.168.2.0/24 as this is tunnel mode and packets exiting from the tunnel will have those addresses as their source address. NAT does not change this, it only affects the gateway address, i.e only the outer IP address of the ESP packet. -- kivinen@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec