Bjoern A. Zeeb <bzeeb-li...@lists.zabbadoz.net> wrote: > That’s maybe for the ipsec wg but while native IPv6 VPN has been working fine > for me for ages, how would a NAT64 policy exchange actually look like (I am > thinking about what is done for IPv4 NAT or double NAT within the same
NAT64 depends upon DNS64 to provide a fake IPv6 target for the application to connect to. So, for IPsec to work over NAT64 would require: 1) IPsec able to traverse over IPv6 networks (outer IP header being IPv6). 2) An IKEv2 deamon that uses DNS to find it's IPv4-only gateway, so that it can be lied to about the returned AAAA record. In Bill's case, he hasn't got (1), so it's not going to work. Once he has (1) (the upgrade he mentioned), if his policy lets him use DNS to find his gateway, and he doesn't do DNSSEC on that, then it ought to work. Of course, once he has the upgrade, if his gateway would just have an IPv6, he wouldn't need NAT64. And he can tunnel his company 10.x v4 network over things as much as he likes... but there is the question about where his Internet bound v4 traffic will go... likely if his company's VPN wants to inspect his traffic, the v4 will go through the tunnel, not using the NAT64 at all, and causing him higher latency. But, that's what would happen in a pure v4 situation anyway. > address family); I doubt that different AFs on each end as part of the > policy are specified to work, so I’d not expect IPsec VPNs to work across a > NAT64 (from a v6 to a v4 endpoint); someone surprise me and say with IKEv2 > you can? Someone surprise me and say with a double NAT64 it can work? I'm not sure IKEv2 even knows or cares how the port-500 packets get there. I use v6 over X tunnels (where X is usually v4) in order to get v6 to my laptop from coffee shops regularly. I haven't tried this over NAT64, but I will change this to use DNS. Of course, I wouldn't need this tunnel in a NAT64 network, since I'd have v6, so I'll setup some v4 IPsec too for the next IETF and try it out. -- Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ sunset4 mailing list sunset4@ietf.org https://www.ietf.org/mailman/listinfo/sunset4