[Openswan dev] Qustion about Nat-t

John Denker jsd at av8n.com
Thu Feb 26 19:00:02 EST 2009

In the context of:

>> klips26_rcv_encap(struct sk_buff *skb, __u16 encap_type)
>> What is the content of the packet input into this function.
>> I just find the code about ESPinUDP used transform mode, does Openswan
>> not support ESPinUDP used tunnel mode ?
> Yes it uses it for tunnel mode too if configured. run 'make nattpatch'
> to see the code that would be applied against a stock kernel.

Just as a general reminder:  Anybody who is considering using
NAT traversal should seriously consider *not* using NAT traversal.

NAT is an abominable kludge, which makes ESPinUDP is a kludge on 
top of a kludge.

The alternative is to use IPv6 which gets rid of both kludges.  It
makes NAT go away, and it provides for IPsec in a natural way.

There are of course situations where you don't have enough control
over the situation to implement IPv6 ... but there remain plenty
of situations where you do.  In my experience, the no-kludge
solution (IPv6) gives a better result with *less work* than the
kludge-upon-kludge solution (NAT traversal).

For the next level of detail on how this can be done, see

Also consider:  IPv6 is compatible with the future.  NAT traversal
is compatible (partially compatible) with the past.

More information about the Dev mailing list