Hi Jessie, I think you have to distinguish between transport mode and tunnel mode.
In tunnel mode, the UDP-encapsulated ESP packet contains a complete IP packet. The outer IP header as well as the UDP header are simply discarded in that case. The IP packet which is carried by ESP has its own IP header. Not sure about transport mode, though. I remember Andreas saying that transport mode is insecure if used together with NAT traversal. I guess the receiving end can reconstruct the original IP header by querying the Security Policy Database. Did you check http://unixwiz.net/techtips/iguide-ipsec.html ? It has some good information on ESP and AH. -Daniel Jessie Liu wrote: > Hi Andreas , > When the UDP-encapsulated ESP traffic goes through NAT device and > reaches the destination end, what will the destination endpoint do to the > received packets? > Following is my understanding, please correct me if there is anything wrong, > thanks. > > The destination end will first check the outer IP header and then take off > the UDP header, (of course the destination end has to support NAT-Traversal) > and modify the outer IP header to the original IPsec outer IP header? After > this, the ESP packet could be processed as usual. > Is my understanding correct? > If this is true, how the destination end reconstructs the outer IP header? > Could you provide an example? > > Thanks ! ^______^ _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users