[Openswan Users] Re: Working IPSec/L2TP for Windows clients with X.509 and NAT-T details

Alan Whinery whinery at hawaii.edu
Wed Mar 23 07:46:00 CET 2005

Ken Bantoft wrote:

> Yes.  There are some potential risks with NAT-T in transport mode.  
> Initially, Openswan shipped with it disabled,
> but since Microsoft decided it was OK and insisted on using it, we 
> eventually started to ship with it enabled to clear the mailing list 
> of the 1000x 'Why doesn't this work?' emails.  I'm decidedly not happy 
> about this, but I don't see another answer.

Just to mention it:

Microsoft issued a bulletin (cited @ Jacco's)  relating to the disabling 
of NAT-T in Windows XP SP2 which addressed risks in the Transport/NAT-T 
scenario, but they limit their caution to the case where the *server* is 
behind the NAT, as I understand it.


More information about the Users mailing list