Understanding ALG for IKE and ESP Operation

The proposed ALG for IKE and ESP traffic will have the following behavior:

• The ALG for IKE and ESP monitors IKE traffic between the client and the server, and permits only one IKE phase 2 message exchange between the client and the server at any given time.
• When a phase 2 message is seen:
  • If no phase 2 exchange between the client and server is already taking place, the IKE ALG will open gates for the relevant ESP traffic in the client to server and server to client directions.
  • If the gates cannot be successfully opened, or if there is already a phase 2 exchange taking place, the phase 2 message will be dropped.
• When ESP traffic hits those gates, sessions will be created to capture subsequent ESP traffic, and perform the proper NATing (source IP address translation for client ->server traffic, and destination IP address translation for server->client traffic).
• If no traffic hits either or both of the gates, the gate(s) will naturally time out.
• Once the gates are collapsed or timed out, another IKE phase 2 exchange will be permitted.
• IKE NAT-T traffic on floating port 4500 will not be processed in IKE ALG. To support mixture of NAT-T-capable and non-capable clients, users is required to enable source NAT address persistent.

Related Topics

• ALG Overview
• NAT Overview
• Understanding ALG for IKE and ESP
• Example: Configuring the IKE and ESP ALG (CLI)
• Example: Enabling IKE and ESP ALG and Setting Timeouts (CLI)