Re: [IPsec] nat traversal and transport mode
Yoav Nir <ynir.ietf@gmail.com> Tue, 16 June 2015 12:08 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C316D1A038C for <ipsec@ietfa.amsl.com>; Tue, 16 Jun 2015 05:08:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h9KmKSvgC840 for <ipsec@ietfa.amsl.com>; Tue, 16 Jun 2015 05:08:10 -0700 (PDT)
Received: from mail-wi0-x22a.google.com (mail-wi0-x22a.google.com [IPv6:2a00:1450:400c:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBBF31B2B96 for <ipsec@ietf.org>; Tue, 16 Jun 2015 05:08:08 -0700 (PDT)
Received: by wibdq8 with SMTP id dq8so17287231wib.1 for <ipsec@ietf.org>; Tue, 16 Jun 2015 05:08:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=TahVhNv2u7a+OB6s4ivCgvahiMvGGJJuscpnWB2VOrY=; b=tH3pkWctb3Xu/2UtpbvKNDewzB8j3SOJPgV9PBpXyJj7EG/Eifoy8m4lFiIQxjGHF/ b5aItPnrn/GPr89NyiRsUggVYgXDrK6hCVDXM9DguiOFp6ZOVzFWfb6Zs8HNL8E+SdEt vqd30Xxm83sK/nu2UI7n+RmhDR8HCMrPtnNrB5apw6x3H9y1Wr2RPcHzS1BNKqW4cbQe yKPocB8jMEEiMW7v9PrdxxuMmsE2XO3p+YttAYyY6xA/B2SAu2XZORUtJqBVIkQ/0R0O DY0nZDK9FBGJQkLjX7Aw5fQT9Ib7kBcpVEuJ0sQoGKw3gBIT0dxjP7igN8jY3LGGT92P ywrQ==
X-Received: by 10.180.82.135 with SMTP id i7mr43747040wiy.68.1434456066146; Tue, 16 Jun 2015 05:01:06 -0700 (PDT)
Received: from [172.24.251.11] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id ch2sm2214767wib.18.2015.06.16.05.01.04 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 16 Jun 2015 05:01:05 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <558009C9.8040509@poczta.onet.pl>
Date: Tue, 16 Jun 2015 15:01:03 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <5B5045FC-A79A-45D1-B051-7B82A546D01F@gmail.com>
References: <558009C9.8040509@poczta.onet.pl>
To: Michał Zegan <webczat_200@poczta.onet.pl>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/oPHEJ6wl_TCl3_4IGpBCQVUuwfg>
Cc: ipsec@ietf.org
Subject: Re: [IPsec] nat traversal and transport mode
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jun 2015 12:08:11 -0000
Hi. Transport mode works fine behind NAT devices. For example, L2TP clients connect to VPN gateways using transport mode and they work behind NAT devices. It is AH that cannot work behind NAT. HTH Yoav > On Jun 16, 2015, at 2:34 PM, Michał Zegan <webczat_200@poczta.onet.pl> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hello. > > I have heard that transport mode should not be used if the initiator > is behind a NAT, even with nat traversal protocols, because this does > have some issues. > However, I am not quite sure if I understand what issues are that? > Also, does it mean that l2tp over ipsec suffers the same issues but > you have no choice in this case? > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > > iQIcBAEBAgAGBQJVgAnHAAoJEHb1CzgxXKwYEmkP+gOyeNY+JjLJW78mIUb6WPaW > DKQ8TyrnWsB3rTjWeNlO0eADKlj5XfpXRhf257XDkZgDxlNNhcJxol23nx7tRRqB > 8kZimQqgpSA+WE4vQ6odZeSEIzfXElv4viPeIZgOcftDMhsgfqhpkqn7gfH+Kg8J > SRy9JWxdPQ2oJHiurjRIjZ4/KoLqGgU+ncl9wj68FJrKjs2uM2NIncHQAlW9AEUD > KFy/+QbIo5/UFkHzwXKzw/I5Z4Fic2YfELW6H5JmQEl77zQywKknM+OgDL58VpXW > cQTPKvJaQLlJ7PbJi7N3t/SupQsUmQBQsPfit/q0+H3il+i+Yijkz8d/Ofy0lssB > DUnIxr+o6R3qGx5XHNtA1F2fJ3gGFCLd5mQHOs40+Bl3Xlhyx0PcGChHGrne7INl > vIqnLOQWyJxEUzIdTkzUbFo7UlYYJh6wUq2MViMDGrV6TbaPuhj+FewQvylpeyqH > Bjfumhj5ShhMNeXqv0isEQz/V7KWWO47GvL8jveUcaOK7udzSwjHETK9H+Rp8S29 > BZTCFXs2TMMPEppJoSljVz/xue22aV6eCB0cT1VOtZUn3+2pZybq2Qlkzu7mAFtl > LYYMdV/XS9ZEyYUf5KDQWIiK5+Q3dK5gFUSb6eiiWb5COToY247DsPR9yrHDDCpT > 1SfJd/Dcg4mg6i1aKB75 > =14QR > -----END PGP SIGNATURE----- > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec
- [IPsec] nat traversal and transport mode Michał Zegan
- Re: [IPsec] nat traversal and transport mode Yoav Nir
- Re: [IPsec] nat traversal and transport mode Michael Richardson
- Re: [IPsec] nat traversal and transport mode Paul Wouters
- Re: [IPsec] nat traversal and transport mode Yoav Nir