Add Ability to Force NAT-T Encapsulation on IKEv2 Peers
The strongswan documentation includes:
UDP encapsulation may also be forced, even if no NAT situation is detected, by using the forceencaps and encap options in ipsec.conf and swanctl.conf, respectively. If enabled, the daemon will send a fake NAT_DETECTION_SOURCE_IP notify payload so it looks to the peer as if there is a NAT situation.
There are occasional cases where something in the path does things like limit/police ESP traffic but not UDP, among other things. It would be nice to be able to force NAT-T encapsulation on IKEv2.
#1 Updated by Jim Pingle 11 months ago
- Assignee set to Jim Pingle
- Target version set to 2.5.0
The code to handle that directive already there in the nat_traversal option but we disable that for IKEv2, looks like that was in #3979
Should be simple to turn back on, just remove the JS lines that hide/show the nat_traversal option:
The strongSwan pages don't seem to imply that doesn't work in IKEv2, so I'm not sure why we disabled them unless they didn't work at the time.
#3 Updated by Viktor Gurov 9 months ago
Jim Pingle wrote:
Applied in changeset 9c4f5b95eed5534ab797f104ad9f687359bd4818.
Tested on 2.5.0.a.20191011.1853
# grep forceencap /var/etc/ipsec/ipsec.conf forceencaps = yes