In NAT-ed IPsec transport mode, the original source IP address is transferred via the NATOA attribute to peer who re-establishes the original address after decapsulation.
Regards Andreas Daniel Mentz wrote: > Hi Jessie, > > I think you have to distinguish between transport mode and tunnel mode. > > In tunnel mode, the UDP-encapsulated ESP packet contains a complete IP > packet. The outer IP header as well as the UDP header are simply > discarded in that case. The IP packet which is carried by ESP has its > own IP header. > > Not sure about transport mode, though. I remember Andreas saying that > transport mode is insecure if used together with NAT traversal. I guess > the receiving end can reconstruct the original IP header by querying the > Security Policy Database. > > Did you check > > http://unixwiz.net/techtips/iguide-ipsec.html > > ? It has some good information on ESP and AH. > > -Daniel > > Jessie Liu wrote: >> Hi Andreas , >> When the UDP-encapsulated ESP traffic goes through NAT device >> and reaches the destination end, what will the destination endpoint do >> to the received packets? >> Following is my understanding, please correct me if there is anything >> wrong, thanks. >> >> The destination end will first check the outer IP header and then take >> off the UDP header, (of course the destination end has to support >> NAT-Traversal) and modify the outer IP header to the original IPsec >> outer IP header? After this, the ESP packet could be processed as usual. >> Is my understanding correct? >> If this is true, how the destination end reconstructs the outer IP >> header? Could you provide an example? >> >> Thanks ! ^______^ ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
