> On Jun 1, 2017, at 4:17 PM, Paul Wouters <p...@nohats.ca> wrote: > > On Wed, 31 May 2017, Tommy Pauly wrote: > >> I've posted a new version of the draft that incorporates the changes >> discussed in this thread. Please review! >> https://datatracker.ietf.org/doc/html/draft-ietf-ipsecme-tcp-encaps-10 > > I just noticed this in RFC 7296: > > However, if a NAT is detected, both devices MUST use UDP encapsulation > for ESP. > > I'm not sure if this one sentence really qualifies as this draft needing > a formal "Updates 7296", but it currently does not seem to do that.
Technically, one should only do TCP encapsulation if UDP couldn't go through at all—so you couldn't even get the IKE_SA_INIT response to do NAT detection. That means that we aren't in this case. However, I'm happy to add a line to clarify this if we'd prefer that =) Thanks, Tommy > > Paul _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec