On Feb 13, 2012, at 10:23 PM, Paul Wouters wrote: > Hi, > > There are many IPsec related standards, and I was hoping to use the > combined experience of the list to tell me if in fact, these new apple > devices have a bug, or whether it is an RFC or draft anywhere. > > When using L2TP/IPsec mode with IKEv1, the latest iphones/OSX machines, > when on public IP, and when no NAT is detected, send UDP_ENCAP packets > where the inner IP is the same as the outer IP. > > On the server, this is a problem. We now need to build tunnels to a > random publicly addressable IP. Since that is dangerous and could be > hijacking a real IP address, openwan only limits per default to RFC1918 > space (and 25/8 since too many North American telco's use this and the > UK MoD seems to not care). As a result, to make this work, we need to > allow basically any public IP to be tunnelled. > > Is this indeed a bug in these devices? If so, is there anyone from Apple > here that I can talk to and resolve this. Or if this is a > feature/draft/rfc, could someone point me to it?
Hi Paul I'm not sure I follow you. L2TP/IPSec uses transport mode ESP, so the inner IP is inside the L2TP tunnel. That address is assigned in the IPCP protocol by your gateway. So you have a routable address on the outside, and your own chosen address on the inside. So what is the issue? Yoav _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
