RE: Clarification of potential NAT multiple client solutions

There are lots of problems with that form of passthru with transport
mode.  Just a couple: 

1. if you have multiple simultaneous connections behind the NAT, the NAT
will have difficulty mapping the unseen spis from the external host to
the outgoing SPI it has seen since it only uses time proximity and no
better smarts.  This problem also exists for tunnel mode passthru.  So
it cannot claim to be an industrial strength solution.
2. Still have the demux issues of multiple clients behind the same NAT
talking to the same external server
3. Still need to modify IKE to get the negotiation to succeed (QM
proxies addrs at least)
4. Still need to deal with the incorrect transport layer xsum

In short, passthru is potentially tolerable for tunnel mode in some
scenarios, but fails pretty badly for transport.

bs

-----Original Message-----
From: Jayant Shukla [mailto:jshukla <at> trlokom.com] 
Sent: Thursday, August 01, 2002 9:36 AM
To: William Dixon; Brian Swander; ipsec <at> lists.tislabs.com
Subject: RE: Clarification of potential NAT multiple client solutions 

Hi William,

I am referring to the method used by NAT boxes to let IKE & IPsec
traffic pass through based on cookies and SPI. It is the same method
that caused problem for the earlier version of your draft that required