tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: racoon, IKEv1 and multiple ipsec clients behind NAT
> [...], IPSEC has a long history of conflicting with NATs [...]
It's hardly surprising that breaking the design assumptions underlying
IP breaks things built atop IP. (That NAT breaks as few things as it
does is a testament to (a) how few things are actually used atop IP and
(b) the robustness of the commonest of those few.)
> There's two ways to avoid that - use IPv6 on both ends [...], or use
> a more NAT-friendly VPN protocol.
There's a third way: insist on non-crippled connectivity from the
underlying provider, switching providers (or possibly just service
classes) if necessary.
Of course, that's not suitable for everyone, any more than either of
the others is. But I would argue it shouldn't be discarded without at
least considering it. (It also is, in my opinion, the best option for
the long-term health of the net; there is far too much history of
working around brokenness rather than insisting on its being fixed,
leading to entrenched brokenness.)
/~\ The ASCII Mouse
\ / Ribbon Campaign
X Against HTML mouse%rodents-montreal.org@localhost
/ \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Home |
Main Index |
Thread Index |
Old Index