[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

(racoon 861) L2TP/IPsec and NAT-T in transport mode


We (Stinghorn) have released a product based on Racoon and Linux
kernel 2.6.x, which supports NAT traversal in transport mode, and
handles multiple Windows 2K/XP clients behind the same NAT.

Several reasons were given on the mailing list why this cannot be
done at present, most of which I believe are correct.  To implement
this cleanly would require considerable changes to both the kernel
and the ISAKMP daemon.

However, it *is* possible to make it work for L2TP/IPsec-transport
use specifically, which is what we've done.  Unfortunately the patches
are not very clean, and are very specific to usage with L2TP/IPsec.
They will also have an adverse impact on other IPsec functionality.
(We use virtualization for our product deployment so this doesn't
matter to us, which is why this solution suffices for us.)

Anyway, there might be something interesting in the set of changes
for generalization into Racoon.  For instance, in the Debian ipsec-tools
package the -02 NAT traversal VID is incorrect (it's missing a '\n'),
which was the first obstacle to Windows interoperability.  The kernel
and Racoon diffs (against Debian source packages) along with a more
detailed description of the changes are available here:


Hope this helps, and keep up the good work,

Sami Vaarala
Chief Technology Officer
Stinghorn  (www.stinghorn.com)