Hi Andreas , When the UDP-encapsulated ESP traffic goes through NAT device and reaches the destination end, what will the destination endpoint do to the received packets? Following is my understanding, please correct me if there is anything wrong, thanks. The destination end will first check the outer IP header and then take off the UDP header, (of course the destination end has to support NAT-Traversal) and modify the outer IP header to the original IPsec outer IP header? After this, the ESP packet could be processed as usual. Is my understanding correct? If this is true, how the destination end reconstructs the outer IP header? Could you provide an example? Thanks ! ^______^
--- 10/1/5 (二),Andreas Steffen <[email protected]> 寫道: 寄件者: Andreas Steffen <[email protected]> 主旨: Re: [strongSwan] NAT problem 收件者: "Jessie Liu" <[email protected]> 副本: [email protected] 日期: 2010年1月5日,二,下午1:00 Hi Jessie, it is the IPsec ESP traffic which is encapsulated in UDP datagrams. The IKE protocol is always based on UDP with well-known source and destination port 500. When a NAT situation is detected then the source port is allowed to assume any port number and the UDP socket *must* float to 4500 in order to avoid conflicts with IPsec pass-through based on port forwarding. Best regards Andreas Jessie Liu wrote: > Hi all, I have a question about NAT and IPsec. I know that UDP > encapsulation is used to solve the IPsec packet passing through NAT > device problem. Does this apply to both IKE negotiation procedures > and all following IPsec traffic communication between two ends? And > floating to port 4500 is necessary with NAT device? > > Thanks in advance!! ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== ___________________________________________________ 您的生活即時通 - 溝通、娛樂、生活、工作一次搞定! http://messenger.yahoo.com.tw/ _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
