Dan McDonald wrote:
On Mon, May 21, 2007 at 10:21:26AM +0100, Darren J Moffat wrote:
<SNIP!>
Does allowing NAT-T with port other than UDP 4500 open up the
possibility of using IPsec with NAT as a client in a network that only
has say 80 and 443 open for external connections ?
Not unless those opens apply to *UDP* 80 and/or 443. Doing NAT-T over TCP is
a whole new can of worms. :-P
I believe that 80/udp is common but 443/udp less so. Indeed NAT-T over
TCP is "interesting".
If so I think that is worth doing even if the current in.iked can't make
use of this. Someone (say a GSoC 2007 student) might be able to make
use of this in porting say Racoon2 ?
Like I said, the kernel changes aren't much for arbitrary UDP ports, and
every local port you want only needs a corresponding socket bound to that
port with UDP_NAT_T_ENDPOINT set for proper inbound demuxing.
Sounds worth it to me.
--
Darren J Moffat
_______________________________________________
networking-discuss mailing list
[email protected]
