Known Issues (cont’d)

• Incompatibility between fixed IKE destination ports and NAPT

  • IKE source port de-multiplexing preferrable to NAT de-multiplexing via IKE cookies
  • Issue is de-multiplexing of rekeys; no way for NAT to de-multiplex previously unseen IKE cookies, but de-multiplexing packets to a previously floated IKE port is possible
  • Floating IKE source ports legal, but rarely used

• Incompatibilities between overlapping SPD entries and NAT.

  • Issue is two clients negotiating overlapping SPDs with same server
  • Requires client-NAT communication for source port coordination or floating of server port

• Incompatibilities between IPSEC SPI selection and NAT

  • Issue is SPI of packets incoming to NAT; without client-NAT communication, NAT must depend on timing
  • Problem may be manageable in home scenarios with only a few IPSEC users
  • Problem fatal in enterprise or ISP scenarios

Previous slide

Next slide

Back to first slide

View graphic version