[Openswan dev] Qustion about Nat-t
Michael H. Warfield
mhw at WittsEnd.com
Tue Mar 3 15:01:24 EST 2009
On Sun, 2009-03-01 at 16:38 -0500, Paul Wouters wrote:
> On Sun, 1 Mar 2009, John Denker wrote:
> > *) NAT is a kludgey way of extending the IPv4 address space.
> > IPv6 is an incomparably better way of extending the IPv4
> > address space.
> > *) A basic principle of engineering is to aim for the moving
> > target. NAT is the way of the past. The future will be
> > more and more IPv6.
> The move to more ipv6 will only happen with more 6to4 and 4to6
> NAT's, and horribly DNS kludges to make ipv4-only systems talk
> to ipv6-only systems and visa versa.
> Welcome to the real world, Neo.
Actually... What I used NAT-T for more than anything else is drilling
through obsessive firewalls that do not permit ESP, AH, or SIT through.
Then I can tunnel IPv6/SIT over ESP-in-UDP (over UDP, over IP, sigh).
That can tunnel an entire v6 net over a wall that doesn't permit SIT
(protocol 41). What I would love (and I guess is available with IKE2)
is the ability to directly tunnel v6 in ESP on V4 cutting out the SIT
layer there. I can do that with OpenVPN (ala the now defunct Join
project out of Germany) but OpenVPN is a performance dog being in user
space and I see a lot of anomalous UDP errors with OpenVPN. So I find
IPSec a more reliable answer to my IPv6 over obsessive IPv4 firewall
problem, even if I have to (currently) shim it with another layer.
> > Really? Do you actually know of any home gateways that will
> > a) forward IKE and ESPinUDP, but
> > b) not properly terminate SIT tunnels, and
> > c) not even forward SIT packets?
> > If you know of any such, I'd like to hear about it. I don't
> > actually know of any. I'd be astonished if they made up 90%
> > of the market. I'd be mildly surprised if they covered even
> > 10% of the Openswan users.
> How do you set this up on a Windows laptop or Windows Mobile
> telephone, without installing additional software and
> Administrative permissions? 90% of Openswan users have an
> openswan server with incoming Windows and OSX clients.
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/dev/attachments/20090303/597a85fc/attachment.bin
More information about the Dev