I've got an iPhone 7 Plus, running the latest version of iOS (11.4.1).
Our VPN at work is provided by a Cisco Meraki device, which is IPv4 only. The VPN uses L2TP over IPSEC. It's configured and works fine on my phone if I'm connected via WiFi to an IPv4 network, but it won't connect when I'm on the T-Mobile LTE network, which is IPv6 only.
The question is: is this a fundamental limitation of IPv6 only, or is this a problem with T-Mobile's network? When I try to ping an IPv4-only address (either the address of our VPN server, or Google's public DNS at 220.127.116.11) while connected to the T-Mobile IPv6 only network, it works — T-Mobile seems to map the IPv4 address, presumably using NAT64, into its IPv6 network.
This RFC suggests that IPSEC won't work over NAT64 translation, but it was written back in 2014 — maybe someone has improved NAT64 since then? A newer (2016) RFC7915 says that while IPSEC AH won't work, IPSEC ESP over UDP can and should. Can anyone confirm that T-Mobile's NAT64 implementation can handle IPSEC ESP over UDP?
In any case, the problem at user-level is that T-Mobile's network can't support access to my company's VPN, which works over other internet connections. Will T-Mobile attempt to fix this?
Best answer by smplyunprdctbleView original