Paul Wouters wrote:
The issue with USE_NAT_TRAVERSAL_TRANSPORT_MODE is not wether or not it was causing problems in the implementation, but that as a feature, it is a security risk. Openswan tends to package with all dangerious options disabled, leaving them open for the (hopefully somewhat cluefull) user to enable. One such example is 1DES. NAT-traversal in transport mode also has security implications. That is why it is disabled.
What I understand of it is that Mathieu Lafon (the author of the NAT-T patch for FreeS/WAN) wrote that _his particular implementation_ had security implications in Transport Mode. Now, I don't know if this issue is located in the kernel part or in the FreeS/WAN userland part. If it is the latter then it's probably prudent to keep Transport Mode NAT-T disabled by default. If there is an inherent problem with NAT-T in Transport Mode, then we should inform Microsoft, SSH, Safenet, Apple et al. :-) Jacco -- Jacco de Leeuw mailto:jacco2@dds.nl Zaandam, The Netherlands http://www.jacco2.dds.nl