Is using L2TP/IPsec VPN over NAT-T actually insecure, or is this only
a theoretical risk?
Microsoft dice sì e no:
Sì nel caso in cui questo scenario si applichi a te:
- A network address translator is configured to map IKE and IPSec NAT-T traffic to a server on a NAT-configured network. (This server is
Server 1.) The network address translator mappings are the ones that
we recommend in this article.
- A client from outside the NAT-configured network uses IPSec NAT-T to establish bidirectional security associations with Server 1. (This
client is Client 1.)
- A client on the NAT-configured network uses IPSec NAT-T to establish bidirectional security associations with Client 1. (This
client is Client 2.)
- A condition occurs that causes Client 1 to reestablish the security associations with Client 2 because of the static network address
translator mappings that map IKE and IPSec NAT-T traffic to Server 1.
This condition may cause the IPSec security association negotiation
traffic that is sent by Client 1 and that is destined for Client 2 to
be misrouted to Server 1
Although this is an uncommon situation, the default behavior on
Windows XP SP2-based computers prevents any IPSec NAT-T-based security
associations to servers that are located behind a network address
translator to make sure that this situation never occurs.
Si noti che questa raccomandazione esiste ancora nelle versioni recenti del sistema operativo Windows Mircrosoft (Windows 7, 8, 10)
No , se sei sicuro che questo scenario non si applica al tuo caso.
Is there any reason to NOT use L2TP/IPsec+NAT-T as a replacement for a
PPTP VPN?
Se scegli il tunneling IPSec significa che devi proteggere la riservatezza e l'integrità dei dati, ma anche assicurare l'autenticità del mittente. Combinare questo con il protocollo NAT è in qualche modo in contraddizione con il tuo obiettivo in quanto il NAT può inoltrare le risposte / richieste all'indirizzo IP sbagliato.
Un altro problema tecnico è questo:
NAT isn’t able to use the port numbers in TCP and UDP headers to
multiplex packets to multiple internal computers when those headers
have been encrypted by ESP