On Thu, 3 Jul 2014, Phillip Hallam-Baker wrote:
One long term consequence of this obstructionism is that nobody actually deploys what IETF claims is the IPSEC standard. Microsoft and others implement but every company I have been at with a VPN has required use of a plug-in to get round the intentional NAT-sabotage etc.
RFC 3947 was published in 2005. I hope you are using more up to date IPsec implementations.
At the moment a firewall can't do the right thing because it does not have the right information. Giving it the right information is a necessary but not sufficient condition to doing the right thing. This is one of the functions I support in Omnibroker. When an application wants to open an inbound or outbound network connection it makes a request to the Omnibroker which then performs the necessary configuration and supplies all the necessary information to make the service connection.
Ask how well that went for firewalld in fedora :P Paul