[IPsec] Some IPSEC/IKE NAT Issues

Mon, 28 Dec 2009 04:22:13 -0800 


Hi All 
    I have some doubt about NAT With IPSEC/IKE , 
     
  Example Take a Topology : 

  IKE_PEER1  ----------- NAT1 ----------------NAT2 Server---IKE_PEER3  
  (1.1.1.1)   |  (1.1.1.10)  (2.1.1.1)  (2.1.1.2)           (3.1.1.1)    
              |
  IKE_PEER2   |
  (1.1.1.2)                       

  IKE_PEER1 and  IKE_PEER2 ,  behind Same NAT Device NAT1 ,  Want to 
  Establish IPSEC Tunnel with   IKE_PEER3, which is Behind a NAT Server ( 
  Service Running Behind a NAT). 

  For IKE_PEER1, IKE_PEER2, NAT2 Server Address (2.1.1.2) is the Peer 
  Address, Since IKE_PEE3 running behind a NAT Server. 

Questions1:   

 1. For IKE_PEER3, 2.1.1.1   is the Peer Address for both IKE_PEER1 & 
    IKE_PEER2. If IKE ID Type is IP Address then, how IKE SA can be 
    Established, between IKE_PEER1& IKE_PEER3 and IKE_PEER2 & IKE_PEER3,  

2.   If ID Type is based on Name (FQDN), Say IPSEC Tunnel is 
     Established Between IKE_PEER1 & IKE_PEER3.  If IPSEC SA Mode is 
     Tunnel,  Now Inner IP Header may have Destination IP Address as NAT2 
     Server's Address that is (2.1.1.2).  This Original IP Packet will be a 
     payload of IPSEC Encapsulated  packet.  

     Since NAT2 Server, will Change only Outer IP Header Destination 
     Address, to Forward the packet to IKE_PEER3.  

     Now in   IKE_PEER3 after IPSEC Decapsulation, original Packet will  
     Have 2.1.1.2 (NAT Server's Address) as Destination Address.  Now How 
     This packet can be processed in IKE_PEER3.  

     Does tunnel Mode Can not be supported in such Topology??   

     If RFC is not clear about such Solution, then we can have one RFC  
     To solve this scenario.  


With Regards
Syed Ajim    


****************************************************************************
This e-mail and attachments contain confidential information from HUAWEI,
which is intended only for the person or entity whose address is listed
above. Any use of the information contained herein in any way (including,
but not limited to, total or partial disclosure, reproduction, or
dissemination) by persons other than the intended recipient's) is
prohibited. If you receive this e-mail in error, please notify the sender by
phone or email immediately and delete it!

***************************************************************************

_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to