Project

General

Profile

Actions
Copy link

Feature #9695

closed

Add Ability to Force NAT-T Encapsulation on IKEv2 Peers

Added by Chris Linstruth over 5 years ago. Updated almost 5 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Jim Pingle
Category:
IPsec
Target version:
2.4.5
Start date:
08/22/2019
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:

Description

The strongswan documentation includes:

UDP encapsulation may also be forced, even if no NAT situation is detected, by using the forceencaps and encap options in ipsec.conf and swanctl.conf, respectively. If enabled, the daemon will send a fake NAT_DETECTION_SOURCE_IP notify payload so it looks to the peer as if there is a NAT situation.

https://wiki.strongswan.org/projects/strongswan/wiki/NatTraversal

There are occasional cases where something in the path does things like limit/police ESP traffic but not UDP, among other things. It would be nice to be able to force NAT-T encapsulation on IKEv2.

Files

Screenshot from 2019-10-12 22-53-09.png (42.4 KB) Screenshot from 2019-10-12 22-53-09.png NAT_DETECTION_SOURCE_IP on P1 init Viktor Gurov, 10/12/2019 02:56 PM
Actions
Copy link
 #1

Updated by Jim Pingle over 5 years ago

  • Assignee set to Jim Pingle
  • Target version set to 2.5.0

The code to handle that directive already there in the nat_traversal option but we disable that for IKEv2, looks like that was in #3979

Should be simple to turn back on, just remove the JS lines that hide/show the nat_traversal option:

The strongSwan pages don't seem to imply that doesn't work in IKEv2, so I'm not sure why we disabled them unless they didn't work at the time.

Actions
Copy link
 #2

Updated by Jim Pingle over 5 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100
Actions
Copy link
 #3

Updated by Viktor Gurov about 5 years ago

Jim Pingle wrote:

Applied in changeset 9c4f5b95eed5534ab797f104ad9f687359bd4818.

Tested on 2.5.0.a.20191011.1853

# grep forceencap /var/etc/ipsec/ipsec.conf
forceencaps = yes

Works, Resolved

Actions
Copy link
 #4

Updated by Jim Pingle about 5 years ago

  • Status changed from Feedback to Resolved
Actions
Copy link
 #5

Updated by Jim Pingle about 5 years ago

  • Target version changed from 2.5.0 to 2.4.5
Actions
Copy link
 #6

Updated by Jim Pingle almost 5 years ago

  • Status changed from Resolved to Feedback

Needs checked and/or tested again on 2.4.5 snapshots

Actions
Copy link
 #7

Updated by Chris Linstruth almost 5 years ago

Looks good in 2.4.5: WAN udp 172.25.228.9:4500 -> 172.25.228.13:4500 MULTIPLE:MULTIPLE 29 / 29 3 KiB / 3 KiB

Actions
Copy link
 #8

Updated by Jim Pingle almost 5 years ago

  • Status changed from Feedback to Resolved
Actions
Copy link

Also available in: Atom PDF