[Openswan Users] Re: Working IPSec/L2TP for Windows clients with X.509 and NAT-T details

Jacco de Leeuw jacco2 at dds.nl
Wed Mar 23 18:04:00 CET 2005

Ken Bantoft wrote:

> There are some potential risks with NAT-T in transport mode.  
> Initially, Openswan shipped with it disabled,
> but since Microsoft decided it was OK and insisted on using it, we 
> eventually started to ship with it enabled to clear the mailing list of 
> the 1000x 'Why doesn't this work?' emails.  I'm decidedly not happy 
> about this, but I don't see another answer.

They should have fixed this in the NAT-T RFC. The drafts have been out
for ages. Microsoft was intimately involved with this RFC:

IPsec-Network Address Translation (NAT) Compatibility Requirements

   Network Working Group                                         B. Aboba
   Request for Comments: 3715                                    W. Dixon
   Category: Informational                                      Microsoft
                                                               March 2004

Negotiation of NAT-Traversal in the IKE

   Network Working Group                                       T. Kivinen
   Request for Comments: 3947                                     SafeNet
   Category: Standards Track                                   B. Swander
                                                             January 2005

Even more peculiar is the situation where the L2TP/IPsec server is NATed.
This scenario should be supported according to the NAT-T requirements RFC
but in XP SP2 they simply "avoid establishing any IPSec NAT-T-based SAs
to servers that are located behind a NAT":
But apparently it is fine for older clients? This too should have been
fixed in the RFC.

Or perhaps Microsoft's implementation is not vulnerable after all?

Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl

More information about the Users mailing list