Hi Syed,
On Mon, Dec 28, 2009 at 5:51 PM, Syed Ajim Hussain <sye...@huawei.com>wrote: > > > Hi All > I have some doubt about NAT With IPSEC/IKE , > > Example Take a Topology : > > IKE_PEER1 ----------- NAT1 ----------------NAT2 Server---IKE_PEER3 > (1.1.1.1) | (1.1.1.10) (2.1.1.1) (2.1.1.2) (3.1.1.1) > | > IKE_PEER2 | > (1.1.1.2) > > IKE_PEER1 and IKE_PEER2 , behind Same NAT Device NAT1 , Want to > Establish IPSEC Tunnel with IKE_PEER3, which is Behind a NAT Server ( > Service Running Behind a NAT). > > For IKE_PEER1, IKE_PEER2, NAT2 Server Address (2.1.1.2) is the Peer > Address, Since IKE_PEE3 running behind a NAT Server. > > Questions1: > > 1. For IKE_PEER3, 2.1.1.1 is the Peer Address for both IKE_PEER1 & > IKE_PEER2. If IKE ID Type is IP Address then, how IKE SA can be > Established, between IKE_PEER1& IKE_PEER3 and IKE_PEER2 & IKE_PEER3, > > Even though IKE_PEER3 sees same IP address for IKE_PEER1 and IKE_PEER2, the source port will be different to distinguish the connections. 2. If ID Type is based on Name (FQDN), Say IPSEC Tunnel is > Established Between IKE_PEER1 & IKE_PEER3. If IPSEC SA Mode is > Tunnel, Now Inner IP Header may have Destination IP Address as NAT2 > Server's Address that is (2.1.1.2). This Original IP Packet will be a > payload of IPSEC Encapsulated packet. > > Since NAT2 Server, will Change only Outer IP Header Destination > Address, to Forward the packet to IKE_PEER3. > > Now in IKE_PEER3 after IPSEC Decapsulation, original Packet will > Have 2.1.1.2 (NAT Server's Address) as Destination Address. Now How > This packet can be processed in IKE_PEER3. > > The IKE_PEER3 can forward these packets to NAT device as they are not destined to it. > Does tunnel Mode Can not be supported in such Topology?? > > If RFC is not clear about such Solution, then we can have one RFC > To solve this scenario. > > > With Regards > Syed Ajim > > > > **************************************************************************** > This e-mail and attachments contain confidential information from HUAWEI, > which is intended only for the person or entity whose address is listed > above. Any use of the information contained herein in any way (including, > but not limited to, total or partial disclosure, reproduction, or > dissemination) by persons other than the intended recipient's) is > prohibited. If you receive this e-mail in error, please notify the sender > by > phone or email immediately and delete it! > > *************************************************************************** > > _______________________________________________ > IPsec mailing list > IPsec@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec > Regards, Raj
_______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
