-------------------- Pasi Eronen (2005-11-14): https://www.machshav.com/pipermail/mobike/2005-November/001297.html Stephane pointed out in the WG meeting that the examples in Section 2.2 don't change to port 4500 as they should. -------------------- Stephane Beaulieu (2005-11-14): https://www.machshav.com/pipermail/mobike/2005-November/001302.html Thanks. I meant to follow up with an email, but it slipped my mind. There's also another piece of text in section 3.5 which is misleading. o If the IPsec SAs were updated in the previous step: If NAT Traversal is not enabled, and the responder supports NAT Traversal (as indicated by NAT detection payloads in the IKE_SA_INIT exchange), and the initiator either suspects or knows that a NAT is likely to be present, enables NAT Traversal (that is, enables UDP encapsulation of outgoing ESP packets and sending of NAT- Keepalive packets). This implies that we didn't already switch to port 4500 as was mentioned earlier in the doc. My impression is that we were always doing UDP encaps on port 4500. (or are we just switching IKE to port 4500, but not doing UDP encaps?) -------------------- Tero Kivinen (2005-11-14): https://www.machshav.com/pipermail/mobike/2005-November/001303.html Yes. We simply move all IKE traffic to port 4500 immediately when we notice that other end supports NAT regardless whether there is NAT or not. The IPsec SAs are still created using normal ESP packets in case there is no NAT, and if we move behind NAT then we change those IPsec SAs to use UDP encapsulation too. If we move away from NAT then we again disable the UDP encapsulation of IPsec packets, but keep the IKE traffic on port 4500. The reason for this is that if we would do the port switch when we later detect NAT, it would cause the additional complexity, as responder do not know the addresses that are going to be used in the encapsulated packets, as initiator wouldn't had sent any packets with those addresses and NAT wouldn't have created mapping for the packets yet. -------------------- Jari Arkko (2005-11-15): https://www.machshav.com/pipermail/mobike/2005-November/001309.html I agree with what Tero is writing below. But from what I understood we are just describing the port numbers in the example, not adding any other new text. Correct? -------------------- Stephane Beaulieu (2005-11-15): https://www.machshav.com/pipermail/mobike/2005-November/001311.html Just changing the port values in the example is fine with me. The rest appears to have been confusion on my part. --------------------