[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: NAT and IPSEC issues:- Question

> >If the IRAC could be persuaded to request an available SPI from the 'NAT'
> >box, wouldn't this resolve the problem?
> No, because the SPI is chosen by the responder. But the NAT could check
> the SPI and inform the client if it was in conflict. That is what RSIP
> does.
I believe that when A negotiates an IPSec SA with B, A chooses the SPI that
B will use to send encapsulated packets to A and B chooses the SPI that A
will use to send encapsulated packets to B. This is independent of who's the
initiator or the responder.

So if the IRAC creates a proposal where all SPI values are guaranteed to be
unique for the NAT-ed domain (under control of the NAT box as suggested in
the original question) then I do not see why that SPI could not later be
used by the NAT box to route inbound traffic to the appropriate client.