[ previous ] [ next ] [ threads ]
 From:  Lonnie Abelbeck <lists at lonnie dot abelbeck dot com>
 To:  m0n0wall List <m0n0wall at lists dot m0n0 dot ch>
 Subject:  IPSec NAT-Traversal Experiences
 Date:  Mon, 29 Jan 2007 17:55:08 -0600
(NAT-T RFC-3715, RFC-3947 and RFC-3948)

Since m0n0wall 1.3b2 supports NAT-T, I would like to know what  
successes / failures users have experienced.  Some questions I have:

1) Compatibility with "IPSec Passthrough".  A Juniper Netscreen tech  
note states "Make sure IPSec Passthrough is disabled on the Linksys  
router.  IPSec Passthrough will break NAT Traversal functionality."   
Is this true?

2) Does the auto-negotiation ('enable') reliably work, , or does  
forcing NAT-T on ('force') or 'off' usually required?

3) Is the extra overhead noticeable enough to motivate users to not  
use NAT-T if it is not required?

4) Does the IPSec host endpoint address behind the NAT need to match  
the actual private address, or can any endpoint address be used as  
with non-NAT-T?

Hopefully we can generate a good discussion for the archives.

Thanks in advance.