[Openswan Users] Re: Working IPSec/L2TP for Windows clients with X.509 and NAT-T details

Ken Bantoft ken at xelerance.com
Wed Mar 23 10:07:04 CET 2005


On 22-Mar-05, at 4:18 PM, Alan Whinery wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> | Some small questions:
> |
> | - You write: "I never did get [racoon] to do NAT traversal, which
> | is the reason for [using Openswan]. Apparently, racoon will not set
> | up NAT-T in transport mode". Can anyone confirm this?
>
> I have seen it asserted in various places, If I run across it, I'll
> send a reference. I think that either the devlopment lists for either
> Kame or for ipsec-tools says so. It's a purist thing, I gather.

Yes.  There are some potential risks with NAT-T in transport mode.  
Initially, Openswan shipped with it disabled,
but since Microsoft decided it was OK and insisted on using it, we 
eventually started to ship with it enabled to clear the mailing list of 
the 1000x 'Why doesn't this work?' emails.  I'm decidedly not happy 
about this, but I don't see another answer.


Ken



More information about the Users mailing list