Paul Wouters writes: > > Oh, I see that the port is not necessary 4500. However I think > > the clarification that no port switching takes place would be useful. > > When an RST happens, you do come back and if behind NAT you most likely > will come back on a different port. So be caerful with using terms as > port switching. (I wish we could get rid of that anyway, are there still > any ipsec passthrough devices in use mangling port 500? or is there any > reason why not to always start on 4500?)
Has there ever been devices doing something special for TCP traffic on port 500? I think most of the issues has been with UDP traffic, where the both source and destination ports were specified to be 500, so some NAT devices decided, that because of that we cannot NAT the source port, thus we need to do something special for IPsec traffic. The port 4500 was just getting rid of this helpful thing NAT boxes tried to do. With TCP encapsulated IPsec, the source port will most likely be random port anyways, and the destination port will be either 500 or 4500. I would actually say we should use TCP port 500 for servers always and not use port 4500 at all. And the source TCP port will most likely be different even if there is no NAT between, for example when using IPv6 and going through firewall which is configured to drop all UDP traffic (and which might do some special cases for DNS). -- [email protected] _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
