The fact that something can be worked around with enough
footwork really doesn't make okay.
Sure. Neither is it ok for VPN vendors to pretend as if NAT wasn't a part
of daily life and reality.
Consider the congestion related behavior of TCP inside TCP.
Consider the additional perpacket overhead of TCP encap, and
the effect of the additional fragmentation that will happen
since few networks will pass datagrams over 1500 bytes.
So? So fragmentation will happen. Look at all the existing DSL etc
infrastructures where you do have to live with MTU molestations. Frag
happens. So what. It still works nicely.
What are we gonna do next? Whine about broken PMTUD?
If networks operators had demanded IPv6 in the past far more
products today would be enabled and the 'upgrades are
expensive' argument would be moot. Simply passing the buck
to the customer is not a globally wise solution.
Sure.
Simply ignoring present reality isn't a globally wise solutions. Hence we
have broken VPN products incapable of dealing with NAT. Some are capable of
dealing with NAT just fine, and are readily available. Enough said.
VPN vendors incapable of dealing with NAT (which is really a quite simple
fix, totally independent of the NAT box) should be terminated with extreme
prejudice.