Issues with IPSEC

When using a Transport Protocol operating in Tunnel Mode, packets can often grow to be larger that the Maximum Transmission Unit ( or MTU ) for a given gateway interface. This is due to the added overhead associated with packet encapsulation. Some poorly designed routers may simply refuse to fragment or forward certain packet types if it they are larger than an arbitrary size. Other routers may drop packet fragments even if they are an acceptable size for the given interface MTU. Finally, it is very common for problems to occur when a router that performs Network Address Translation ( or NAT ) exists between two IPSEC Peers.

To circumvent these issues, several extensions to the IPSEC protocol suite have been devised but are not universally supported by all platforms.

Almost all personal firewall appliances employ NAT as a means for multiple devices to share a single Internet connection. By using extensions to the IKE and ESP protocols, it is possible for IPSEC Peers to exchange key and transport data even when a NAT device exists between them.

In some instances, key exchange packets can be large which will lead to packet loss as described above. By using an extension to the IKE protocol, it is possible for IPSEC Peers to exchange key data even when a trouble router exists between them.

Encapsulation of large packets can lead to packet loss as described above. By performing fragmentation prior to encapsulation, it is possible to for IPSEC Peers to exchange transport data even when a trouble router exists between them.

All extensions listed above are supported by the Shrew Soft VPN Client. IKE Fragmentation is a supported feature of the ipsec-tools racoon daemon. NAT Traversal and Pre Fragmentation require kernel support. Please refer to your gateway operating system documentation for more details.