IPSec over TCP

D. Hugh Redelmeier hugh-pmF8o41NoarQT0dZR+AlfA at public.gmane.org
Mon Dec 5 09:22:33 UTC 2005


| From: Lennart Sorensen <lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org>

| I believe IPsec as per the standard runs on port udp/500 and uses
| protocol esp and/or ah for key exchange.

Close, but backwards.

IKE, the key exchange protocol uses UDP/500.  I think TCP/500 is
reserved but the protocol does not use it.

AH and ESP are the protocols for the data streams.

There are perversions to do "NAT traversal".  These are not part of
the IPsec standard.  I don't know the details, but they tend to use
UDP to piggyback ESP and AH packets.  I think that UDP/4500 is
sometimes used to evade the damage that "IPsec passthrough" inflicts on 
UDP/500.

TCP is not a great way to handle IPsec.  Reliable delivery comes at a
price and is not needed.
--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml





More information about the Legacy mailing list