[Openswan Users] Re: Working IPSec/L2TP for Windows clients with
X.509 and NAT-T details
Alan Whinery
whinery at hawaii.edu
Wed Mar 23 07:46:00 CET 2005
Ken Bantoft wrote:
>
> Yes. There are some potential risks with NAT-T in transport mode.
> Initially, Openswan shipped with it disabled,
> but since Microsoft decided it was OK and insisted on using it, we
> eventually started to ship with it enabled to clear the mailing list
> of the 1000x 'Why doesn't this work?' emails. I'm decidedly not happy
> about this, but I don't see another answer.
Just to mention it:
Microsoft issued a bulletin (cited @ Jacco's) relating to the disabling
of NAT-T in Windows XP SP2 which addressed risks in the Transport/NAT-T
scenario, but they limit their caution to the case where the *server* is
behind the NAT, as I understand it.
Alan
More information about the Users
mailing list