[Openswan Users] Re: Working IPSec/L2TP for Windows clients with
X.509 and NAT-T details
Ken Bantoft
ken at xelerance.com
Wed Mar 23 10:07:04 CET 2005
On 22-Mar-05, at 4:18 PM, Alan Whinery wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> | Some small questions:
> |
> | - You write: "I never did get [racoon] to do NAT traversal, which
> | is the reason for [using Openswan]. Apparently, racoon will not set
> | up NAT-T in transport mode". Can anyone confirm this?
>
> I have seen it asserted in various places, If I run across it, I'll
> send a reference. I think that either the devlopment lists for either
> Kame or for ipsec-tools says so. It's a purist thing, I gather.
Yes. There are some potential risks with NAT-T in transport mode.
Initially, Openswan shipped with it disabled,
but since Microsoft decided it was OK and insisted on using it, we
eventually started to ship with it enabled to clear the mailing list of
the 1000x 'Why doesn't this work?' emails. I'm decidedly not happy
about this, but I don't see another answer.
Ken
More information about the Users
mailing list