Next Previous Contents

6. IPSec masquerade technical notes and special considerations

The portion of the ISAKMP key exchange where the ESP SPI values are communicated is encrypted, so the ESP SPI values must be determined by inspection of the actual ESP traffic. Also, the outbound ESP traffic does not contain any indication of what the inbound SPI will be. This means there is no perfectly reliable way to associate inbound ESP traffic with outbound ESP traffic.

The IPSec masq patch attempts to associate inbound and outbound ESP traffic by serializing initial ESP traffic on a by-remote-host basis. What this means is:

There are several ways this can fail to associate traffic properly:

The best solution is to have some way to preload the masq table with the properly associated out-SPI/in-SPI pair or some other mapping of remote_host + inbound_SPI to masqueraded_host. This cannot be done by inspecting the ISAKMP key exchange, as it is encrypted. It may be possible to use Host-NAT to communicate with the masqueraded IPSec host and request notification of SPI information once it has been negotiated. This is being investigated. If something is done to implement this it probably will be done in the 2.2.x series patches but not in the 2.0.x series.


Next Previous Contents