Re: [Ipsec-tools-devel] [PATCH] Transport mode NAT-T
Brought to you by:
mit_warlord,
netbsd
From: Matthew G. <mg...@sh...> - 2007-11-27 08:59:04
|
Timo Teräs wrote: > Hi, > > This experimental patch implements sending of NAT-OA payloads. Depending on configuration this _might_ make transport mode NAT-T working. I have tested only that the sent packets are valid. You also need kernel support. > > What comes to kernel support I'm not sure about BSDs, but recent Linux kernels implement RFC3948 3.1.2. option 3 and should support UDP encapsulated ESP behind NAT properly (didn't test though). > Manu can speak more about this but I believe the original address parts of NAT-T support were omitted on purpose due to patent issues. Here is an excerpt from his post to a netbsd mailing list ... - IPsec NAT-Traversal as described in RFC 3947 and RFC 3948. This require a -current kernel built with the IPSEC_NAT_T option. There is an IPR disclosure made by Microsoft on NAT-T at the IETF. We are convinced that we did not implement what is covered by the patent (the Original Address stuff), but be aware that there might be a problem with using NAT-T in some countries. Here is a link to the original post ... http://mail-index.netbsd.org/current-users/2005/02/19/0013.html -Matthew |