On Thu, 7 Jun 2012, Paul Hoffman wrote:
* Use IKE over TCP. Looking at the IANA registry ([2]) TCP port 500 is already allocated
to "ISAKMP". We have had IKE running over TCP for several years for remote
access clients. This was done because remote access clients connect from behind some very
dodgy NAT devices, and some of those do drop fragments. Getting this behavior at the ISP
is novel.
* Use IKE over TCP only after IKE over UDP fails during transmission of a packet
>512 bytes. That would be interoperable with current deployments (although they
would not see the second attempt, of course), it costs little, and is trivial to
implement.
Is that compatible with some vendor's tcp port 10000 implementation?
Also, if we are doing this, I'd prefer to be able to signal which tcp
port to use, to make it more flexible to bypass port 500 blocks (which
is part of the tcp 10000 implementation I believe)
Paul
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec
