On Fri, Dec 9, 2016 at 4:39 PM, Michael Richardson <[email protected]> wrote:
> > Bjoern A. Zeeb <[email protected]> wrote: > > That’s maybe for the ipsec wg but while native IPv6 VPN has been > working fine > > for me for ages, how would a NAT64 policy exchange actually look > like (I am > > thinking about what is done for IPv4 NAT or double NAT within the > same > > NAT64 depends upon DNS64 to provide a fake IPv6 target for the application > to > connect to. > > So, for IPsec to work over NAT64 would require: > > 1) IPsec able to traverse over IPv6 networks (outer IP header being IPv6). > 2) An IKEv2 deamon that uses DNS to find it's IPv4-only gateway, so that it > can be lied to about the returned AAAA record. > > In Bill's case, he hasn't got (1), so it's not going to work. > Well, I was using Apple's "Cisco IPSec" client for OSX 10.11.5, and it's the server side implementation that says that IPv6 transport is not supported. So, perhaps, I have a client that would support it. > Once he has (1) (the upgrade he mentioned), if his policy lets him use DNS > to > find his gateway, and he doesn't do DNSSEC on that, then it ought to work. > That is what I have configured. Bill
_______________________________________________ sunset4 mailing list [email protected] https://www.ietf.org/mailman/listinfo/sunset4
