Re: [IPsec] IKEv2 NAT-T and Traffic Selectors

From: Dan McDonald <danmcd_at_nospam>
Date: Tue Sep 22 2009 - 17:04:35 GMT
To: Scott C Moonen <smoonen@us.ibm.com>

On Tue, Sep 22, 2009 at 12:52:51PM -0400, Scott C Moonen wrote:
> Hi Matt. Our implementation works a little differently from Tero's, so
> I'm replying just to provide a different perspective.

> Our design decision does prevent our implementation from initiating to a
> remote IPsec gateway if that gateway is behind a NAT, since we have
> excluded the possibility of configuring addresses in the network behind
> that NAT. We believe that initiating to a gateway behind a NAT is an
> uncommon configuration, especially for our platform.

Your design (which is similar to the one in Solaris/OpenSolaris) WOULD allow initiation to a behind-a-NAT peer if (and only if) the NAT was smart enough to redirect 500 and 4500 to a single entity inside its private network. (I'll be experimenting with this directly when I move into my new house this weekend, actually. :)

Dan

IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

This message: [ Message body ]
Next message: Scott C Moonen: "Re: [IPsec] IKEv2 NAT-T and Traffic Selectors"
Previous message: Scott C Moonen: "Re: [IPsec] IKEv2 NAT-T and Traffic Selectors"
In reply to: Scott C Moonen: "Re: [IPsec] IKEv2 NAT-T and Traffic Selectors"
Next in thread: Scott C Moonen: "Re: [IPsec] IKEv2 NAT-T and Traffic Selectors"
Reply: Scott C Moonen: "Re: [IPsec] IKEv2 NAT-T and Traffic Selectors"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]