Re: racoon, IKEv1 and multiple ipsec clients behind NAT

[Gert Doering <gert%greenie.muc.de@localhost>]

Hi,

On Wed, Oct 19, 2022 at 02:08:32PM -0400, Mouse wrote:
> > There's two ways to avoid that - use IPv6 on both ends [...], or use
> > a more NAT-friendly VPN protocol.
> 
> There's a third way: insist on non-crippled connectivity from the
> underlying provider, switching providers (or possibly just service
> classes) if necessary.

For IPv4, that ship has sailed, at least over here.  Half the large
eyeball providers in Germany only provide shared IPv4 addresses to
their customers (DS-Lite), because they just do not have more -
but they provide an IPv6 /56 with Real Addresses, Lots Of Them,
to their customers.

The Incumbent (Deutsche Telekom) provides "real IPv4", but, well,
it's the Incumbent, so lots of good reasons to not go there.

Thus, IPv6.

> Of course, that's not suitable for everyone, any more than either of
> the others is.  But I would argue it shouldn't be discarded without at
> least considering it.  (It also is, in my opinion, the best option for
> the long-term health of the net; there is far too much history of
> working around brokenness rather than insisting on its being fixed,
> leading to entrenched brokenness.)

Thus, IPv6 :-) - not without its own set of problems, but at least
it does not force NAT on anyone (yes, you *can*, and there are scenarios
where it's useful and not breaking much, but *voluntarily used* makes
the difference).

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             gert%greenie.muc.de@localhost