[Openswan Users] NAT-T in native stack??

Ken Bantoft ken at xelerance.com
Wed May 19 05:04:27 CEST 2004


On Tue, 18 May 2004, Paul Wouters wrote:

> On Tue, 18 May 2004, Rene Mayrhofer wrote:
> 
> > > USE_NAT_TRAVERSAL_TRANSPORT_MODE?=true
> > > 
>
> The issue with USE_NAT_TRAVERSAL_TRANSPORT_MODE is not wether or not it
> was causing problems in the implementation, but that as a feature, it is
> a security risk. Openswan tends to package with all dangerious options
> disabled, leaving them open for the (hopefully somewhat cluefull) user
> to enable. One such example is 1DES. NAT-traversal in transport mode also
> has security implications. That is why it is disabled.

NAT-T and NAT-T Transport mode are both are enabled in 1.x and 2.x trees.  
Without NAT-T Transport mode, we cannot interop with Win2k stack, which is
what over 50% of users are interested in doing.

Sadly, we are forced to make some sacrifices in the never ending game of
compatibility.


-- 
Ken Bantoft			VP Business Development
ken at xelerance.com		Xelerance Corporation
sip://toronto.xelerance.com	http://www.xelerance.com

The future is here. It's just not evenly distributed yet. 
        -- William Gibson




More information about the Users mailing list