[Openswan Users] Transport mode in 2.6 IPsec
Jacco de Leeuw
jacco2 at dds.nl
Fri Jul 16 15:18:36 CEST 2004
> I noticed USE_NAT_TRAVERSAL_TRANSPORT_MODE is enabled by default in
> Openswan (at least in 2.1.4). Have the issues regarding security when
> using NAT-T and transport mode together (see doc/README.NAT-Traversal)
> been solved in kernel 2.4 using the Openswan IPsec kernel implementation?
No.
> What about in kernel 2.6 using the built-in IPsec?
According to Mathieu Lafon, the author of the NAT-T patch:
"The known issue about Transport mode is still there with
kernel 2.6 and surely in KAME".
So switching from kernel 2.4 to 2.6 or from Openswan/FreeS/WAN to
ipsec-tools won't help.
> I've searched the Internet, including this list, left and right but
> found no definitive answer, just people saying "insecure or not,
> we need interop with Windows."
In addition to the above, Mathieu also wrote:
"Perhaps I'm too paranoid".
So it could be just him, but I don't know of anybody else who has
done an assessment of the security of NAT-T in Transport Mode.
Jacco
--
Jacco de Leeuw mailto:jacco2 at dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
More information about the Users
mailing list