Hi Tobias: The ports used for IKE packets would not be randomized since IKE would not use source port for LB and so should be stable at the NAT.
Cheers, Paul -----Original Message----- From: Tobias Brunner <tob...@strongswan.org> Sent: Thursday, July 15, 2021 1:36 AM To: Bottorff, Paul <paul.botto...@hpe.com>; Valery Smyslov <smyslov.i...@gmail.com>; 'Tero Kivinen' <kivi...@iki.fi>; antony.ant...@secunet.com; 'IPsec' <ipsec@ietf.org> Subject: Re: [IPsec] draft-xu-ipsecme-esp-in-udp-lb-07 Hi Paul, > Instead, the responder should use the port received by the responder in the > IKE exchanges. Note that if these packets have random source ports, this will only work if the NAT implementation plays along or there is static port forwarding configured. NATs might filter inbound packets from endpoints that don't equal the IP/port to which the host behind the NAT originally sent packets when the NAT mapping was created (address and port-dependent filtering in terms of RFC 4787). I guess the same could happen in scenarios where there are no NATs but restrictive firewalls that block traffic from endpoints to which the host behind the firewall did not send traffic. Regards, Tobias _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
