[FW1] Description of UDP Encapsulation.

Wed, 23 Aug 2000 14:12:26 -0700

Title:
I don't know if I was the only one that was confused with what exactly was changed in SP2 as far as encapsulation.  They way I originally understood it was that all clients had to be SP2 and the server had to be SP2 in able to use UDP encapsulation.  As it turns out, UDP encapsulation is just another IKE proposal that is sent to the server *FROM* the client.  If the client isn't SP2 it can't exactly suggest using it. :)
 
Description of UDP Encapsulation.
 
Seeing UDP encapsulation is a new feature and I was concerned about it affecting the users with older securemote software, here is a quick and dirty explanation of UDP Encapsulation.
  1. SR sends IKE packet to VPN-1, one of the IKE proposals it sends to the gateway is to use UDP encapsulation. Note, only SP2 clients can send this UDP encap proposal, SP1 or earlier clients, cannot.
  2. If IKE negotiation (port UDP-500/500) packet's SRC PORT has NOT been translated, then no UDP encapsulation, it just operates like normal SR IKE session (thus SP2 and SP1 and earlier SR's can run side by side against a single gateway): a standard proposal is selected and a VPN tunnel is established.
  3. If IKE SRC PORT != 500, then the gateway assumes that a NAT HIDE device is between the gateway and SR. Then, and only then, does it accept the UDP encapsulation proposal. This selection is communicated to the client.
  4. The client takes note of the selected IKE Proposal (encap or a "normal" one) and if encap, wraps the IPSEC traffic in a UDP packets.
It is actually quite an elegant solution, as it is end user transparent and encapsulation (i.e., the extra overhead) is only used when needed... when the SR client is behind such a NAT device. When the SR client is moved to another non-NATed network, no encap takes place.
 

======================================================================
Joseph Voisin, Systems Administrator, Engel Canada Inc.
www.engelmachinery.com | [EMAIL PROTECTED] | (519)836-0220 x436
 PGP Fingerprint: A20B 135D 0920 074F C7FE D72D 88A7 2521 5138 DFC2
======================================================================

Reply via email to