Raj Singh writes: > Suppose responder got IKE_AUTH request (NIP1, NP1), and now mapping got > removed at NAT box. > If responder will send packet to packet to last integrity protected packet > i.e. IKE_AUTH request.
No. Section 3.1 clearly says that ALL ike response messages are always replied back to the address and port where the request came from, i.e. "that the IP addresses and UDP ports from the headers are reversed and used for return packets." And as responder always gets the IKE_AUTH requests from initiator, and it always sends IKE_AUTH responses back, there is no need for anything else than the normal IKE message processing. > It will send IKE_AUTH packet to (NIP1, NP1), but now NAT mappings are > removed, so it will not reach to the initiator. That is fine, but as the IKE_AUTH response does not reach the inititor, initiator will resend its request, and NAT will create new mapping for it, and its headers could then say (NIP1, NP2), and when responder sees that, it will retransmit its IKE_AUTH response to that address. > If we are using EAP authentication then first IKE_AUTH will not contain AUTH > payload, so its NOT authenticated packet. Yes. > Its only integrity protected. Thats was the thought behind the question. Yes. But as there is already clear rule how to process those request/response pairs in the section 3.1 (which is not NAT-T specific, but generic IKEv2 processing rules), there is no special case here for NAT-T. When the final IKE_AUTH exchange comes (the one containing the AUTH payload), then the responder have the last authenticated IKE packet, and it will take the addresses and ports from there to be used in future exchanges (IKE exchanges, or UDP-encapsulted ESP packets). -- kivi...@iki.fi _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
