Dan McDonald wrote:
One open question is whether or not we should allow NAT-Traversal SAs with a
local port that is NOT UDP 4500. The changes required from the kernel side
are pretty small, and marked with TODO in the appropriate IPsec kernel source
files. The user-land side for our IKE daemon, besides being in
closed-source, are non-trivial, and would require substantive changes. I'm
willing to entertain making the kernel changes, however, given sufficient
community motiviation. :)
Ignoring the closed source in.iked for now.
Does allowing NAT-T with port other than UDP 4500 open up the
possibility of using IPsec with NAT as a client in a network that only
has say 80 and 443 open for external connections ?
If so I think that is worth doing even if the current in.iked can't make
use of this. Someone (say a GSoC 2007 student) might be able to make
use of this in porting say Racoon2 ?
--
Darren J Moffat
_______________________________________________
networking-discuss mailing list
[email protected]
