14.7. Summary

In this chapter, we took a quick look at the near-term future of IPsec. As we saw, the changes to AH and ESP are minimal, but IKE has been enhanced to make it both simpler and more flexible. IKEv2 is able to negotiate lists of address and port ranges, as well as type/code values for ICMP and IPv6 mobility header types.

The IKEv2 protocol is reliable and uses two message exchanges, making the entire negotiation shorter. IKEv2 can negotiate an IKE SA and the first child SA in only four messages. Because the most common situation requires only these two SAs, we can normally establish an ESP VPN with only four IKE messages.

We also looked at NAT traversal. We saw how NAT-T can solve many, but not all, of the problems caused by the interaction of IPsec and NAT. Part of NAT-T involves NAT discovery, by which the peers determine whether a NAT is between them, so NATT can always be enabled and will adjust to whether a NAT is present when the peers negotiate a new IKE SA.