RE: Passing IPSec VPN traffic through a Port-masquerading firewal l
Gabriel Montenegro <gab@Eng.Sun.Com> Fri, 15 January 1999 05:06 UTC
Received: from portal.ex.tis.com (portal.ex.tis.com [192.94.214.101]) by mail.proper.com (8.8.8/8.8.5) with ESMTP id VAA10245 for <ietf-ipsec@imc.org>; Thu, 14 Jan 1999 21:06:48 -0800 (PST)
Received: by portal.ex.tis.com (8.9.1/8.9.1) id VAA02997 for ipsec-outgoing; Thu, 14 Jan 1999 21:30:49 -0500 (EST)
Date: Thu, 14 Jan 1999 18:48:48 -0800
From: Gabriel Montenegro <gab@Eng.Sun.Com>
Reply-To: Gabriel Montenegro <gab@Eng.Sun.Com>
Subject: RE: Passing IPSec VPN traffic through a Port-masquerading firewal l
To: "Brothers, John" <johnbr@elastic.com>
Cc: 'Stephen Kent' <kent@bbn.com>, "'ipsec@tis.com'" <ipsec@tis.com>
In-Reply-To: "Your message with ID" <9DBF3C44F94BD2119C4400105A16BC7F021DDC@MAILMAN>
Message-ID: <Roam.SIMC.2.0.6.916368528.17372.gab@eng.sun.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; CHARSET="US-ASCII"
Sender: owner-ipsec@ex.tis.com
Precedence: bulk
enabling end-to-end ipsec traffic (among other things) across NAT boxes (also known as ip masquerading) is the subject of http://www.ietf.org/internet-drafts/draft-montenegro-aatn-nar-01.txt In particular, you might be interested in section 2.6.2 (IPSEC Handling and Demultiplexing). I also gave a presentation at the last ipsec meeting on precisely the issue that worries you, and hopefully it helps outlining what needs to be done. my presentation was couched in terms of a framework and does not talk about any specific negotiation or signalling mechanism between the client and the nar box. The presentation is available from: http://playground.sun.com/~gab/talks/ipsec-nat-issues.PDF Three different types of signalling schemes have been proposed so far for similar applications. one is proposed in my draft above, in which i extend socks for the negotiation phase *only*. the other two are UDP based and are proposed in these drafts: Host NAT: http://www.ietf.org/internet-drafts/draft-ietf-nat-hnat-00.txt Distributed NAT: http://search.ietf.org/internet-drafts/draft-borella-aatn-dnat-01.txt this type of end-to-end application across "nat" boxes is being discussed by the nat working group: http://www.ietf.org/html.charters/nat-charter.html hope this helps, -gabriel
- RE: Passing IPSec VPN traffic through a Port-masq… Brothers, John
- RE: Passing IPSec VPN traffic through a Port-masq… Brothers, John
- RE: Passing IPSec VPN traffic through a Port-masq… Gabriel Montenegro