[Openswan dev] Qustion about Nat-t

Michael H. Warfield mhw at WittsEnd.com
Tue Mar 3 15:01:24 EST 2009 

On Sun, 2009-03-01 at 16:38 -0500, Paul Wouters wrote:
> On Sun, 1 Mar 2009, John Denker wrote:

> > *) NAT is a kludgey way of extending the IPv4 address space.
> >  IPv6 is an incomparably better way of extending the IPv4
> >  address space.

> > *) A basic principle of engineering is to aim for the moving
> >  target.  NAT is the way of the past.  The future will be
> >  more and more IPv6.

> The move to more ipv6 will only happen with more 6to4 and 4to6
> NAT's, and horribly DNS kludges to make ipv4-only systems talk
> to ipv6-only systems and visa versa.

> Welcome to the real world, Neo.

	Actually...  What I used NAT-T for more than anything else is drilling
through obsessive firewalls that do not permit ESP, AH, or SIT through.
Then I can tunnel IPv6/SIT over ESP-in-UDP (over UDP, over IP, sigh).
That can tunnel an entire v6 net over a wall that doesn't permit SIT
(protocol 41).  What I would love (and I guess is available with IKE2)
is the ability to directly tunnel v6 in ESP on V4 cutting out the SIT
layer there.  I can do that with OpenVPN (ala the now defunct Join
project out of Germany) but OpenVPN is a performance dog being in user
space and I see a lot of anomalous UDP errors with OpenVPN.  So I find
IPSec a more reliable answer to my IPv6 over obsessive IPv4 firewall
problem, even if I have to (currently) shim it with another layer.

> > Really?  Do you actually know of any home gateways that will
> >  a) forward IKE and ESPinUDP, but
> >  b) not properly terminate SIT tunnels, and
> >  c) not even forward SIT packets?
> >
> > If you know of any such, I'd like to hear about it.  I don't
> > actually know of any.  I'd be astonished if they made up 90%
> > of the market.  I'd be mildly surprised if they covered even
> > 10% of the Openswan users.
> 
> How do you set this up on a Windows laptop or Windows Mobile
> telephone, without installing additional software and
> Administrative permissions? 90% of Openswan users have an
> openswan server with incoming Windows and OSX clients.
> 
> Paul

	Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part
Url : http://lists.openswan.org/pipermail/dev/attachments/20090303/597a85fc/attachment.bin

More information about the Dev mailing list