Bug #3979: 2.2 IPsec NAT-T / MOBIKE IKEv2 control - pfSense - pfSense bugtracker

Custom queries

2.4.5-p1 - Resolved/Closed
2.5.0 - Resolved/Closed
2.5.1 - Resolved/Closed
2.5.2 - Resolved/Closed
2.6.0 - Resolved/Closed
2.7.0 - Resolved/Closed
2.7.1 - All Open Issues
2.7.1 - Resolved/Closed
2.7.2 - Resolved/Closed
2.8.0 - All Open Bugs
2.8.0 - All Open Features
2.8.0 - All Open Issues
2.8.0 - All Open Regressions
2.8.0 - Feedback
2.8.0 - Needs Attention
2.8.0 - New/Confirmed
2.8.0 - Pull Requests
2.8.0 - Regressions affecting 2.7.0
2.8.0 - Resolved/Closed
21.02.2/2.5.1 - Resolved/Closed
21.05 Plus - All Closed Issues
21.05.1 Plus Target - All Closed Issues
21.05.1 Target - All Closed Issues
22.01 Plus - All Closed Issues
22.01 Target - All Closed Issues
22.05 Plus - All Closed Issues
22.05 Target - All Closed Issues
23.01 Plus - All Closed Issues
23.01 Target - All Closed Issues
23.05 Plus - All Closed Issues
23.05 Target - All Closed Issues
23.05.1 Plus - All Closed Issues
23.05.1 Target - All Closed Issues
23.09 Plus - All Closed Issues
23.09 Target - All Closed Issues
23.09.1 Plus - All Closed Issues
23.09.1 Target - All Closed Issues
24.03 Plus - All Closed Issues
24.03 Target - All Closed Issues
24.11 Plus - All Closed Issues
24.11 Plus - All Open Issues
24.11 Plus - Feedback Issues
24.11 Plus - Needs Attention/Work
24.11 Plus - New/Confirmed/In Progress Issues
24.11 Target - All Closed Issues
24.11 Target - All Open Issues
25.01 Plus - All Closed Issues
25.01 Plus - All Open Issues
25.01 Plus - Feedback Issues
25.01 Plus - Needs Attention/Work
25.01 Plus - New/Confirmed/In Progress Issues
25.01 Plus - Pull Request Review
25.01 Plus - Waiting on Merge
25.01 Target - All Closed Issues
25.01 Target - All Open Issues
All Open Issues assigned to Me
All Open Pull Requests
Any Target - All Open Regressions
Any Target - Feedback Issues
CE-Next - All Closed Issues (Move to specific target)
CE-Next - All Open Issues
CE-Next - Feedback (Likely needs target changed)
New Issues by Category - Future Target
New Issues by Category - No Target
New Issues by Category - No Target+Future
No Target - All Open Issues (Base Only)
No Target - New Issues (Base Only)
No Target - New Issues (Base and Packages)
Release Notes - Plus Target Version (DO NOT EDIT)
Release Notes - Target Version (DO NOT EDIT)

Actions

Copy link

Bug #3979

closed

2.2 IPsec NAT-T / MOBIKE IKEv2 control

Added by Chris Buechler about 10 years ago. Updated over 9 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Chris Buechler

Category:

IPsec

Target version:

2.2.1

Start date:

11/03/2014

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

2.2

Affected Architecture:

Description

The enable/disable/force NAT-T settings from earlier versions don't do anything in 2.2. It appears in newer strongswan versions where charon handles IKEv1, it's not possible to disable NAT-T, it's always on by default. That's problematic, as you probably don't want NAT-T on site to site VPNs, and we've seen a number of scenarios with third party IPsec devices where forcefully disabling NAT-T is necessary for it to behave properly.

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Ermal Luçi about 10 years ago

Status changed from New to Feedback

I have pushed them recently to be enforced.

The only remaining task is to remove Force from the options list because its the same as Enable.

Actions

Copy link

Updated by Chris Buechler about 10 years ago

Status changed from Feedback to Confirmed

after further review and discussion with Ermal, the code is there to set forceencaps, it just isn't setting it correctly.

Actions

Copy link

Updated by Chris Buechler about 10 years ago

% Done changed from 0 to 50

this is correct for IKEv1 after my commits earlier. Seems to be working as it should. It'll continue to work on upgraded configurations, though "disable" becomes "auto" by necessity.

There is a potential problem area in that it's not possible to disable NAT-T in strongswan (short of compiling it without it). Suspect that might hit some issues with third party devices we've seen in rare occasions in the past, where some other device wants to use NAT-T where it's not necessary.

Needs review for IKEv2, the mobike config setting is what can disable that there.

Actions

Copy link

Updated by Chris Buechler about 10 years ago

Assignee set to Chris Buechler

I'll finish this.

Actions

Copy link

Updated by Chris Buechler about 10 years ago

Subject changed from 2.2 IPsec NAT-T settings not obeyed to 2.2 IPsec NAT-T / MOBIKE IKEv2 control
Priority changed from High to Normal

really needs some javascript to remove NAT-T option where IKEv2 is selected and replace with MOBIKE control. No longer as important since nearly every real world problem case is now fixed, removing RC blocking.

Actions

Copy link