Project

General

Profile

Actions
Copy link

Bug #3979

closed

2.2 IPsec NAT-T / MOBIKE IKEv2 control

Added by Chris Buechler over 9 years ago. Updated about 9 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Chris Buechler
Category:
IPsec
Target version:
2.2.1
Start date:
11/03/2014
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.2
Affected Architecture:

Description

The enable/disable/force NAT-T settings from earlier versions don't do anything in 2.2. It appears in newer strongswan versions where charon handles IKEv1, it's not possible to disable NAT-T, it's always on by default. That's problematic, as you probably don't want NAT-T on site to site VPNs, and we've seen a number of scenarios with third party IPsec devices where forcefully disabling NAT-T is necessary for it to behave properly.

Actions
Copy link
 #1

Updated by Ermal Luçi over 9 years ago

  • Status changed from New to Feedback

I have pushed them recently to be enforced.

The only remaining task is to remove Force from the options list because its the same as Enable.

Actions
Copy link
 #2

Updated by Chris Buechler over 9 years ago

  • Status changed from Feedback to Confirmed

after further review and discussion with Ermal, the code is there to set forceencaps, it just isn't setting it correctly.

Actions
Copy link
 #3

Updated by Chris Buechler over 9 years ago

  • % Done changed from 0 to 50

this is correct for IKEv1 after my commits earlier. Seems to be working as it should. It'll continue to work on upgraded configurations, though "disable" becomes "auto" by necessity.

There is a potential problem area in that it's not possible to disable NAT-T in strongswan (short of compiling it without it). Suspect that might hit some issues with third party devices we've seen in rare occasions in the past, where some other device wants to use NAT-T where it's not necessary.

Needs review for IKEv2, the mobike config setting is what can disable that there.

Actions
Copy link
 #4

Updated by Chris Buechler over 9 years ago

  • Assignee set to Chris Buechler

I'll finish this.

Actions
Copy link
 #5

Updated by Chris Buechler over 9 years ago

  • Subject changed from 2.2 IPsec NAT-T settings not obeyed to 2.2 IPsec NAT-T / MOBIKE IKEv2 control
  • Priority changed from High to Normal

really needs some javascript to remove NAT-T option where IKEv2 is selected and replace with MOBIKE control. No longer as important since nearly every real world problem case is now fixed, removing RC blocking.

Actions
Copy link
 #6

Updated by Chris Buechler over 9 years ago

  • Target version changed from 2.2 to 2.2.1

this is fine as is for now, will revisit for 2.2.1

Actions
Copy link
 #7

Updated by Chris Buechler about 9 years ago

  • Status changed from Confirmed to Feedback

this should all be addressed now, needs review and further testing.

Actions
Copy link
 #8

Updated by Chris Buechler about 9 years ago

  • Status changed from Feedback to Resolved
  • % Done changed from 50 to 100

fixed

Actions
Copy link

Also available in: Atom PDF