Mac OS X and other operating systems are using L2TP/IPsec for VPN connections. I’m running StrongSwan as my IPsec stack of choice, so I wanted to setup a VPN between my Debian lenny server and OS X as my roadwarrior. There’s a nice howto on nielspeen.com. Everything is fine except for one thing:
Q: I want to set up strongSwan to interoperate with Microsoft Windows using L2TP/IPsec. I’m getting the error message “NAT-Traversal: Transport mode disabled due to security concerns” which results in strongSwan sending an encrypted notification BAD_PROPOSAL_SYNTAX
A: Here is a quote from strongSwan lead developer Andreas Steffen on how to deal with this problem:
NAT-Traversal with IPsec transport mode has some inherent security risks. Since Microsoft doesn’t care about this please compile strongSwan with the option
So, there’s the inherent security risk, but without –enable-nat-transport L2TP/IPsec doesn’t work at all with StrongSwan on Lenny. Is there anything I can do, dear LazyWeb, to be able to use L2TP/IPsec VPN connection with OS X and Linux (StrongSwan) to have a really secure connection? Being able to use Windows as VPN roadwarrior clients is optional, but no requirement.