On Tue, 16 Nov 2021, Antony Antony wrote:
When traffic arrives, IPsec gateway compute the hash. If there is no SA for that hash index, use the Fallback SA and send a SADB_ACQUIE to IKE daemon. IKE daemon will negotiate a new perPath SA for that index. Once a perPath SA is installed, the traffic will use that SA. The perPath SA use UDP encapsulation, a unique src port + destination port.
Just to clarify further on to what Antony said. You can imagine the first fallback SA to use regular IKE and ending up using 4500 <-> 4500, although a NAT might change the source port of course. For the perPath SA, the IKE daemon picks a new source port to negotiate the CREATE_CHILD_SA, and will use UDP ENCAPS on this new port. It of course could also end up being NAT'ed but it would be NAT'ed to a unique free port. The IKE traffic goes over this source port to confirm the network path is clean for this. And IPsec flows embedded in UDP so all the "flow" acting mechanism can work for you. We could keep the IKE on its normal 4500 port, but then when we pick a new source port for the new perPath SA, we are not guaranteed that path can actually send UDP ENCAP traffic. The changes to the spec is mostly to use/retain the new port and avoid these new port based packets from "updating" the NAT port mistakenly. Paul _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec
