2.2 IPsec NAT-T / MOBIKE IKEv2 control
The enable/disable/force NAT-T settings from earlier versions don't do anything in 2.2. It appears in newer strongswan versions where charon handles IKEv1, it's not possible to disable NAT-T, it's always on by default. That's problematic, as you probably don't want NAT-T on site to site VPNs, and we've seen a number of scenarios with third party IPsec devices where forcefully disabling NAT-T is necessary for it to behave properly.
Restore 3 values back on NAT-T settings Just Enable now its Auto as per strongswan default. and off disabled mobike. Ticket #3979
Add GUI control for MOBIKE. Hide it when IKEv1 selected. Enable toggling of NAT-T field display so it's on for IKEv1, off for IKEv2. Do same for reauth while here. Ticket #3979
#3 Updated by Chris Buechler about 5 years ago
- % Done changed from 0 to 50
this is correct for IKEv1 after my commits earlier. Seems to be working as it should. It'll continue to work on upgraded configurations, though "disable" becomes "auto" by necessity.
There is a potential problem area in that it's not possible to disable NAT-T in strongswan (short of compiling it without it). Suspect that might hit some issues with third party devices we've seen in rare occasions in the past, where some other device wants to use NAT-T where it's not necessary.
Needs review for IKEv2, the mobike config setting is what can disable that there.
#5 Updated by Chris Buechler about 5 years ago
- Subject changed from 2.2 IPsec NAT-T settings not obeyed to 2.2 IPsec NAT-T / MOBIKE IKEv2 control
- Priority changed from High to Normal
- Affected Documentation 0 added
- Affected Documentation deleted (