Problems with IPSEC

When using a Security Protocol to protect IPsec traffic, packets can often grow to be larger that the Maximum Transmission Unit ( "MTU" ) for a given gateway interface. This is due to the overhead associated with adding new protocol headers and performing packet encapsulation. Some poorly designed routers may simply refuse to fragment or forward certain packet types if it they are larger than an arbitrary size. Other routers may drop packet fragments even if they are an acceptable size for the given interface MTU. Finally, it is very common for problems to occur when a router that performs Network Address Translation ( "NAT" ) exists between two IPsec Peers.


To circumvent these issues, several extensions to the IPsec protocol suite have been devised but are not universally supported by all platforms.



Related Protocol Extensions



IKE Fragmentation - In some instances, key exchange packets can be large which will lead to packet loss as described above. By using an extension to the IKE protocol, it is possible for IPsec Peers to exchange large packets even when a trouble router exists between them.


NAT Traversal -  Almost all personal firewall appliances employ NAT as a means for multiple devices to share a single Internet connection. By using extensions to the IKE and ESP protocols, it is possible for IPsec Peers to exchange packets even when a NAT device exists between them.


All extensions listed above are supported by the Shrew Soft VPN Client. IKE Fragmentation is a supported feature of the IPsec Tools racoon daemon. NAT Traversal requires kernel support. Please refer to your gateway operating system documentation for more details.

Copyright 2010, Shrew Soft Inc