Michał Zegan <[email protected]> wrote: > I have heard that transport mode should not be used if the initiator > is behind a NAT, even with nat traversal protocols, because this does > have some issues.
Yes, the issue is that on the gateway system, you wind up with zillions of transport sockets that are connected to 192.168.1.101 on the remote end, and you have to distinguish them by the IPsec state. (If you use tunnel mode through NAT, one usually assigns an IP address to the end system to use, and one can make that address unique) So, it's not a security or protocol problem, but on a generic operating system (Linux, *BSD, probably windows), it's a problem to get the right bookeeping in place. -- Michael Richardson <[email protected]>, Sandelman Software Works -= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
