[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Another NAT Traversal question

To: ipsec@xxxxxxxxxxxxxxxxx
Subject: Re: Another NAT Traversal question
From: Joern Sierwald <joern@xxxxxxxxxxxx>
Date: Wed, 19 Mar 2003 09:21:17 +0100
In-reply-to: <>
References: <>
Sender: owner-ipsec@xxxxxxxxxxxxxxxxx

At 12:07 19.03.2003 +0530, you wrote:

IKEv2 is being defined fresh. Why can't we use port 500 for the purpose of NAT Traversal. If we make this packet also containing first four bytes after UDP header as 0s in case of IKE packet, then there is no need for port 4500
Regards,
Ravi


Well. Routers doing NAT reassign ports. In goes src/dst 53/53, out goes
src/dst 1025/53 or something. On the return packets, the port number are
changed back. You know that.

The problem is that over 50% of all router DO NOT DO THAT if the port is 500
the keep the 500/500 mapping. Many small vendors do that. But even the
current (February) Cisco IOS does that. And there is no way to switch it
off.

If you run IKE through a NAT box, the IKE client software can't use
port 500. Using a random port >1023 works fine. But then the client
can't be responder anymore....

the port 500 is spoiled, sorry, and it has to go.

J–rn

References:
- Re: Another NAT Traversal question
  - From: Francis Dupont
- Re: Another NAT Traversal question
  - From: ravi

Prev by Date: RE: IKEv2: prepending four octets
Next by Date: Re: IKEv2: prepending four octets
Previous by thread: Re: Another NAT Traversal question
Next by thread: Re: Another NAT Traversal question
Index(es):
- Date
- Thread