[ previous ] [ next ] [ threads ]
 
 From:  Fred Wright <fw at well dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] NAT-T?
 Date:  Mon, 16 Aug 2004 13:42:31 -0700 (PDT)
On Sat, 14 Aug 2004, Brian wrote:

> Out of curiousity, does anyone know why NAT-T isnt enabled in the racoon
> setup? I've had several instances of tunnels failing because of what looks
> like NAT issues, and am under the impression that adding this
> functionality would solve the problem entirely. Sure, feel free to blame
> the particular NAT implementation, but that doesn't solve the problem. :)

First of all, NAT-T (in FreeBSD, at least) is a kernel issue, not a racoon
issue.  Racoon is just the Key Management daemon.  Why does everyone think
that everything related to IPsec is in racoon? :-)

It's not clear whether FreeBSD has NAT-T support yet.  If so, it may be
only in the 5.x versions.  And NAT-T is sufficiently new that any support
for it is probably buggy.  I think most people would rather see the
existing IPsec work more reliably before adding more bugs, er,
features. :-)

Also note that NAT-T is an endpoint feature, not a router feature.  You
don't say what you're trying to do, but if you're trying to get some
*other* machine to do IPsec *through* m0n0wall, then NAT-T would need to
be provided on the *other* machine.

					Fred Wright