Also document new NAT-transport support in NEWS file.

1 files changed, 19 insertions, 0 deletions

diff --git a/debian/NEWS b/debian/NEWS
index 8e149f913..dfdd1a4a7 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -9,6 +9,25 @@ strongswan (4.5.0-1) unstable; urgency=low
   default, MOBIKE, Mobile IPv6), and provides better error messages in case
   the connection can not be established. It is therefore highly recommended
   to use it when the other side also supports it.
+  
+  Addtionally, strongswan 4.5.0-1 now enables support for NAT Traversal in
+  combination with IPsec transport mode (the support for this has existed 
+  for a long time, but was disabled due to security concerns). This is 
+  required e.g. to let mobile phone clients (notably Android, iPhone) 
+  connect to an L2TP/IPsec gateway using strongswan. The security 
+  implications as described in the original README.NAT-Traversal file from 
+  the openswan distribution are:
+  
+  * Transport Mode can't be used without NAT in the IPSec layer. Otherwise,
+    all packets for the NAT device (including all hosts behind it) would be
+    sent to the NAT-T Client. This would create a sort of blackhole between
+    the peer which is not behind NAT and the NAT device.
+
+  * In Tunnel Mode with roadwarriors, we CAN'T accept any IP address,
+    otherwise, an evil roadwarrior could redirect all trafic for one host
+    (including a host on the private network) to himself. That's why, you have
+    to specify the private IP in the configuration file, use virtual IP
+    management, or DHCP-over-IPSec.
 
  -- Rene Mayrhofer <rmayr@debian.org>  Sun,  28 Nov 2010 13:16:00 +0200