[Openswan Users] Re: Working IPSec/L2TP for Windows clients
with X.509 and NAT-T details
Jacco de Leeuw
jacco2 at dds.nl
Wed Mar 23 18:04:00 CET 2005
Ken Bantoft wrote:
> There are some potential risks with NAT-T in transport mode.
> Initially, Openswan shipped with it disabled,
> but since Microsoft decided it was OK and insisted on using it, we
> eventually started to ship with it enabled to clear the mailing list of
> the 1000x 'Why doesn't this work?' emails. I'm decidedly not happy
> about this, but I don't see another answer.
They should have fixed this in the NAT-T RFC. The drafts have been out
for ages. Microsoft was intimately involved with this RFC:
IPsec-Network Address Translation (NAT) Compatibility Requirements
Network Working Group B. Aboba
Request for Comments: 3715 W. Dixon
Category: Informational Microsoft
March 2004
Negotiation of NAT-Traversal in the IKE
Network Working Group T. Kivinen
Request for Comments: 3947 SafeNet
Category: Standards Track B. Swander
Microsoft
January 2005
Even more peculiar is the situation where the L2TP/IPsec server is NATed.
This scenario should be supported according to the NAT-T requirements RFC
but in XP SP2 they simply "avoid establishing any IPSec NAT-T-based SAs
to servers that are located behind a NAT":
http://www.microsoft.com/technet/community/columns/cableguy/cg1004.mspx#ECAA
But apparently it is fine for older clients? This too should have been
fixed in the RFC.
Or perhaps Microsoft's implementation is not vulnerable after all?
Jacco
--
Jacco de Leeuw mailto:jacco2 at dds.nl
Zaandam, The Netherlands http://www.jacco2.dds.nl
More information about the Users
mailing list