Hi Valery. > On 19 Mar 2017, at 11:24, Valery Smyslov <[email protected]> wrote: > > Hi Eric, > >> - It seems like IKE associations can span TCP connections (S 6) >> so why not instead of doing UDP first then TCP, do happy eyeballs. > > I don't think it's a good idea. The TCP encapsulation has a lot of drawbacks > in terms of performance (see Section 12), so it is considered > as a last resort if UDP doesn't work. In general UDP (or no encapsulation) is > a preferred transport. If we start trying TCP and UDP in parallel, then > in some cases TCP will win even if UDP works, resulting in non-efficient > connection, even when UDP could be used.
So as I said before, we do it, although IIRC (I’m not on the client team) the client gives TCP a one-second head start. The reason is that in many places where a UDP packet can go, a fragmented UDP packet gets dropped, so the first packets will work fine but the packets with the certificates (either IKE_AUTH or Main Mode #5) will get dropped. In by the end of IKE we have determined that UDP also works, we move to that for IPsec. And if TCP is blocked, we will try the IKE negotiation on UDP. Note that we do all that only for remote access VPN. Site-to-site VPN is ESP or UDP only. There’s just a lot of crappy routers out there. Yoav
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
