L2TP/IPSec VPN doesn't do NAT-T?
I've made an L2TP/IPSec tunnel using System Preferences->Network->VPN on a 10.6.8 client.
When a NAT isn't involved, this tunnel works. When a NAT is involved, it doesn't work.
If I'm interpreting Wireshark correctly, it appears that the Mac negotiates that it _could_ use NAT-T with the other end. But whne push comes to shove, it doesn't actually use NAT-T protocols. The Mac side emits ESP/IP packets (which aren't NAT-friendly), when it really should be encapsulating ESP in port 4500/UDP. Doh!
Digging a little deeper, racoon appears to be the daemon that should do the NAT-T dance. The (no-longer-ships-with-Snow Leopard) man page for racoon.conf, at:
indicates that nat_traversal is NOT the default, but there's an option "nat_traversal = force" that looks like it'd be the right option to put in racoon.conf. The problem is that it's difficult to put the directive in the right racoon.conf. There's an /etc/racoon/racoon.conf, but what the GUI does is generate a dynamic racoon.conf in /var/run/racoon/ which /etc/racoon/racoon.conf is configured to source.
Questions:
1) Is there a sane way to tweak what gets written to the dynamic racoon.conf? Some plist to edit, perhaps?
2) Is this any better with Lion? Why on earth isn't NAT-T the default?
3) Anyone know if OpenVPN, SSTP, etc. will be VPN options in the future? (For assorted reasons, I need to avoid 3rd party VPN products, even though they'd almost certainly be less of a pain than IPSec.)