It is just the single NAT64 that is in question (I also tend to think that is broken for IPsec clients?).
Popular IPsec clients work perfectly via 464xlat (double NAT64). -----Original Message----- From: sunset4 [mailto:sunset4-boun...@ietf.org] On Behalf Of Bjoern A. Zeeb Sent: 09 December 2016 16:33 To: Bill Fenner Cc: ipsec@ietf.org; suns...@ietf.org Subject: Re: [sunset4] ietf-nat64 - Internet VPN clients On 9 Dec 2016, at 16:07, Bill Fenner wrote: > On Fri, Dec 9, 2016 at 8:41 AM, Heatley, Nick <nick.heat...@ee.co.uk> > wrote: > >> Hi All, >> >> The sunset4 minutes suggest NAT64 SSID to become the default? >> >> Just checking, is there any summary on how VPN clients behaved on the >> nat64 SSID following the event? >> > > Just an anecdote, not actual information: I have two different ways to > contact my office VPN server (SSL VPN and IPSEC); neither one worked > from NAT64. The vendor documentation says that they don't support > IPv6 transport for the SSL VPN; I do not know what went wrong with the > IPSEC VPN. The vendor introduced support for IPSEC with v6 transport > in their newest software, to which we'll upgrade soon; perhaps that > upgrade will include whatever is required for it to work through NAT64 > too. Their support matrix still says that even the newest software > does not support SSL VPN over IPv6. That’s maybe for the ipsec wg but while native IPv6 VPN has been working fine for me for ages, how would a NAT64 policy exchange actually look like (I am thinking about what is done for IPv4 NAT or double NAT within the same address family); I doubt that different AFs on each end as part of the policy are specified to work, so I’d not expect IPsec VPNs to work across a NAT64 (from a v6 to a v4 endpoint); someone surprise me and say with IKEv2 you can? Someone surprise me and say with a double NAT64 it can work? /bz _______________________________________________ sunset4 mailing list suns...@ietf.org https://www.ietf.org/mailman/listinfo/sunset4 NOTICE AND DISCLAIMER This email contains BT information, which may be privileged or confidential. It's meant only for the individual(s) or entity named above. If you're not the intended recipient, note that disclosing, copying, distributing or using this information is prohibited. If you've received this email in error, please let me know immediately on the email address above. Thank you. We monitor our email system, and may record your emails. EE Limited Registered office:Trident Place, Mosquito Way, Hatfield, Hertfordshire, AL10 9BW Registered in England no: 02382161 EE Limited is a wholly owned subsidiary of: British Telecommunications plc Registered office: 81 Newgate Street London EC1A 7AJ Registered in England no: 1800000 _______________________________________________ IPsec mailing list IPsec@ietf.org https://www.ietf.org/mailman/listinfo/ipsec