Re: IPSec Passthrough

[Vinay K Nallamothu <vinay-rc@naturesoft.net>]

On Wed, 2003-04-30 at 20:37, Mark Siler wrote:
> I'm curious on how IPSec passthrough works.  I know AH prevents a
> traditional NAT from occurring, but how do the SOHO routers (Linksys,
> D-Link, Ascend, etc) accomplish the IPSec passthrough?

These devices track the IPsec connections by looking at the SPI in
IKE/ESP headers.

When they first see the IKE packets from the client behind the NAT they
note down the SPI value, client address and then masquarade the packet
as usual with its own IP.

When they see the packets from the remote IPsec peer, it looks into the
table using SPI and replaces the destination with client's IP.

This mechanism works only with ESP and not with AH which is fine as most
of the road warriors connect to IPsec gateways.

You can get more details about this in sections 9.0 to 9.3 of
draft-ietf-ipsec-ikev2-tutorial-01.txt.

>  Do they
> encapsulate the entire IPSec packet from the client?
No

>  I keep reading
> about a Transparent Mode and Tunnel Mode,
For NAT-T unware IPsec peers, the above mentioned mechanism is not
visible and hence called transparent. Further this works only when the
client behind the NAT is a road warrior.


vinay