Re: racoon, IKEv1 and multiple ipsec clients behind NAT

To: tech-net%NetBSD.org@localhost
Subject: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
From: Mouse <mouse%Rodents-Montreal.ORG@localhost>
Date: Wed, 19 Oct 2022 14:08:32 -0400 (EDT)

> [...], IPSEC has a long history of conflicting with NATs [...]

It's hardly surprising that breaking the design assumptions underlying
IP breaks things built atop IP.  (That NAT breaks as few things as it
does is a testament to (a) how few things are actually used atop IP and
(b) the robustness of the commonest of those few.)

> There's two ways to avoid that - use IPv6 on both ends [...], or use
> a more NAT-friendly VPN protocol.

There's a third way: insist on non-crippled connectivity from the
underlying provider, switching providers (or possibly just service
classes) if necessary.

Of course, that's not suitable for everyone, any more than either of
the others is.  But I would argue it shouldn't be discarded without at
least considering it.  (It also is, in my opinion, the best option for
the long-term health of the net; there is far too much history of
working around brokenness rather than insisting on its being fixed,
leading to entrenched brokenness.)

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

Follow-Ups:
- Re: racoon, IKEv1 and multiple ipsec clients behind NAT
  - From: Gert Doering

References:
- racoon, IKEv1 and multiple ipsec clients behind NAT
  - From: Mathew, Cherry G.*
- Re: racoon, IKEv1 and multiple ipsec clients behind NAT
  - From: Gert Doering

Prev by Date: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
Next by Date: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
Previous by Thread: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
Next by Thread: Re: racoon, IKEv1 and multiple ipsec clients behind NAT
Indexes:

Home | Main Index | Thread Index | Old Index