Thanks for this, very useful. Is the vpn client also discovering the well known prefix for v6 address synthesis itself, or relying on the OS to provide that?
-------- Original message -------- From: Tommy Pauly <tpa...@apple.com> Date: 09/12/2016 17:32 (GMT+00:00) To: "Heatley, Nick" <nick.heat...@ee.co.uk> Cc: "Bjoern A. Zeeb" <bzeeb-li...@lists.zabbadoz.net>, Bill Fenner <fen...@fenron.com>, ip...@ietf.org, sunset4@ietf.org Subject: Re: [IPsec] [sunset4] ietf-nat64 - Internet VPN clients With our push to support NAT64 networks (without 464xlat) for Apple's devices, we added support for NAT64 networks to both our IKEv1 and IKEv2 clients a few releases ago. It was a fairly straightforward change. The main parts are making sure any IPv4 literals meant to be use outside the tunnel that come across in the IKE exchange are synthesized into IPv6 addresses; and making sure that the ESP layer is happy encapsulating IPv4 in IPv6 for tunnels. Historically, many implementations only supported IPv4-in-IPv4, IPv6-in-IPv6, and IPv6-in-IPv4. >From an interop perspective, this is just a change that needs to be made on >the client behind the NAT64, and requires no protocol changes in IKE or >knowledge on the server side. Thanks, Tommy Pauly > On Dec 9, 2016, at 9:03 AM, Heatley, Nick <nick.heat...@ee.co.uk> wrote: > > It is just the single NAT64 that is in question (I also tend to think that is > broken for IPsec clients?). > > Popular IPsec clients work perfectly via 464xlat (double NAT64). > > > > -----Original Message----- > From: sunset4 [mailto:sunset4-boun...@ietf.org] On Behalf Of Bjoern A. Zeeb > Sent: 09 December 2016 16:33 > To: Bill Fenner > Cc: ip...@ietf.org; sunset4@ietf.org > Subject: Re: [sunset4] ietf-nat64 - Internet VPN clients > > On 9 Dec 2016, at 16:07, Bill Fenner wrote: > >> On Fri, Dec 9, 2016 at 8:41 AM, Heatley, Nick <nick.heat...@ee.co.uk> >> wrote: >> >>> Hi All, >>> >>> The sunset4 minutes suggest NAT64 SSID to become the default? >>> >>> Just checking, is there any summary on how VPN clients behaved on the >>> nat64 SSID following the event? >>> >> >> Just an anecdote, not actual information: I have two different ways to >> contact my office VPN server (SSL VPN and IPSEC); neither one worked >> from NAT64. The vendor documentation says that they don't support >> IPv6 transport for the SSL VPN; I do not know what went wrong with the >> IPSEC VPN. The vendor introduced support for IPSEC with v6 transport >> in their newest software, to which we'll upgrade soon; perhaps that >> upgrade will include whatever is required for it to work through NAT64 >> too. Their support matrix still says that even the newest software >> does not support SSL VPN over IPv6. > > That’s maybe for the ipsec wg but while native IPv6 VPN has been working fine > for me for ages, how would a NAT64 policy exchange actually look like (I am > thinking about what is done for IPv4 NAT or double NAT within the same > address family); I doubt that different AFs on each end as part of the > policy are specified to work, so I’d not expect IPsec VPNs to work across a > NAT64 (from a v6 to a v4 endpoint); someone surprise me and say with IKEv2 > you can? Someone surprise me and say with a double NAT64 it can work? > > /bz > > _______________________________________________ > sunset4 mailing list > sunset4@ietf.org > https://www.ietf.org/mailman/listinfo/sunset4 > > NOTICE AND DISCLAIMER > This email contains BT information, which may be privileged or confidential. > It's meant only for the individual(s) or entity named above. > If you're not the intended recipient, note that disclosing, copying, > distributing or using this information is prohibited. > If you've received this email in error, please let me know immediately on the > email address above. Thank you. > > We monitor our email system, and may record your emails. > > EE Limited > Registered office:Trident Place, Mosquito Way, Hatfield, Hertfordshire, AL10 > 9BW > Registered in England no: 02382161 > > EE Limited is a wholly owned subsidiary of: > > British Telecommunications plc > Registered office: 81 Newgate Street London EC1A 7AJ > Registered in England no: 1800000 > _______________________________________________ > IPsec mailing list > ip...@ietf.org > https://www.ietf.org/mailman/listinfo/ipsec NOTICE AND DISCLAIMER This email contains BT information, which may be privileged or confidential. It's meant only for the individual(s) or entity named above. If you're not the intended recipient, note that disclosing, copying, distributing or using this information is prohibited. If you've received this email in error, please let me know immediately on the email address above. Thank you. We monitor our email system, and may record your emails. EE Limited Registered office:Trident Place, Mosquito Way, Hatfield, Hertfordshire, AL10 9BW Registered in England no: 02382161 EE Limited is a wholly owned subsidiary of: British Telecommunications plc Registered office: 81 Newgate Street London EC1A 7AJ Registered in England no: 1800000
_______________________________________________ sunset4 mailing list sunset4@ietf.org https://www.ietf.org/mailman/listinfo/sunset4
