From: Bartley, M. J. <jba...@le...> - 2007-08-29 19:36:42
|
If I can get a crisp answer for this then I'll post it on my web site so all the search engines can find it and us poor slobs trying to get MS XP SP2+ L2TP/IPSEC working through NATing firewalls to Linux will stop nagging you guys about it ... As of today (August 2007), does ipsec-tools' racoon do NAT-T for transport mode? A simple "yes" or "no" would be nice (with the understanding that tomorrow the answer could be different but I'm not asking anyone to predict the future). Some explanatory detail would be great but is not necessary. Thanks! - lpiqa |
From: <ma...@ne...> - 2007-08-29 19:48:37
|
Bartley, M. James <jba...@le...> wrote: > As of today (August 2007), does ipsec-tools' racoon do NAT-T for > transport mode? No. > A simple "yes" or "no" would be nice I'm a nice guy. -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz ma...@ne... |
From: Dan M. <da...@su...> - 2007-08-29 19:56:50
|
On Wed, Aug 29, 2007 at 03:35:43PM -0400, Bartley, M. James wrote: > As of today (August 2007), does ipsec-tools' racoon do NAT-T for > transport mode? Our experience has been "no", but we haven't played with the just-now-released 0.7.0 release. > Some explanatory detail would be great but is not necessary. I would VERY much like to see this explanation. Especially given some kernel that ipsec-tools supports (e.g. Darwin, and I'm thinking the under-beta MacOS 10.5) have NAT-T in transport mode support. (In fact, when we replaced 10.5's racoon with 10.4's, things Just Worked (TM).) Dan |
From: <ma...@ne...> - 2007-08-29 20:06:46
|
Dan McDonald <da...@su...> wrote: > I would VERY much like to see this explanation. Especially given some kernel > that ipsec-tools supports (e.g. Darwin, and I'm thinking the under-beta MacOS > 10.5) have NAT-T in transport mode support. (In fact, when we replaced > 10.5's racoon with 10.4's, things Just Worked (TM).) AFAIK, racoon does not fully support NAT-T OA (Original Address) payloads, which means that it will not be able to distinguish two peers behind the same NAT. -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz ma...@ne... |
From: Dan M. <da...@su...> - 2007-08-29 20:41:35
|
On Wed, Aug 29, 2007 at 10:08:27PM +0200, Emmanuel Dreyfus wrote: > Dan McDonald <da...@su...> wrote: > > > I would VERY much like to see this explanation. Especially given some kernel > > that ipsec-tools supports (e.g. Darwin, and I'm thinking the under-beta MacOS > > 10.5) have NAT-T in transport mode support. (In fact, when we replaced > > 10.5's racoon with 10.4's, things Just Worked (TM).) > > AFAIK, racoon does not fully support NAT-T OA (Original Address) > payloads, which means that it will not be able to distinguish two peers > behind the same NAT. We thought that was the case. It properly selected the correct encapsulation mode in the Payload & Transform fields, but it did not do NAT-OA. The racoon shipped with MacOS 10.4 DID support NAT-OA. Did Apple not contribute that set of changes back to the community? IIRC racoon's under BSD license, if I'm right, we *might* be able to give you NAT-OA. We'd certainly be able to interoperability test it with the (alas, closed-source and goodly-amount OEMed) Solaris in.iked. Does the Linux kernel per se support Transport Mode with NAT? If it does, then someone can fix racoon and a lot of our interop problems (we have a transport-mode-setup remote access app in-house). Thanks! Dan |
From: <ma...@ne...> - 2007-08-30 04:08:36
|
Dan McDonald <da...@su...> wrote: > We thought that was the case. It properly selected the correct encapsulation > mode in the Payload & Transform fields, but it did not do NAT-OA. > > The racoon shipped with MacOS 10.4 DID support NAT-OA. Did Apple not > contribute that set of changes back to the community? See ipsec-tools/src/racoon/pfkey.c, that's clear enough sa_args.l_natt_oa = NULL; // FIXME: Here comes OA!!! > IIRC racoon's under BSD license, if I'm right, we *might* be able to give you > NAT-OA. That would be great. > Does the Linux kernel per se support Transport Mode with NAT? If it does, > then someone can fix racoon and a lot of our interop problems (we have a > transport-mode-setup remote access app in-house). No idea. I know neither NetBSD nor FreeBSD do, and that supporting it is not straightforward. -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz ma...@ne... |