Chris Brenton wrote: [snip]
True this only works for one to one NAT. Many to one NAT will still break IPSec, even if ESP is used alone. This is a functionality issue however (IPSec using a fixed source port of 500), rather than a "preventing packet modification to thwart man-in-the-middle attacks" thing.
IPsec does not use port 500. IKE uses port 500/udp. IKE is an additional protocol that is widely used to establish SAs and provide keying materials for IPsec, but it is not required for a compliant IPsec implementation. In addition, most IKE implementations do not care whether the source port on a IKE packet is 500/udp or not. As I explained previously, ESP alone is un-NAT able in the general case due to the fact that it is a peer-to-peer protocol, not client-to- server, and the SPIs in either direction are unrelated. -- Crist J. Clark crist.clark@globalstar.com Globalstar Communications (408) 933-4387