Project

General

Profile

Feature #9695

Add Ability to Force NAT-T Encapsulation on IKEv2 Peers

Added by Chris Linstruth 3 months ago. Updated about 1 month ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
08/22/2019
Due date:
% Done:

100%

Estimated time:

Description

The strongswan documentation includes:

UDP encapsulation may also be forced, even if no NAT situation is detected, by using the forceencaps and encap options in ipsec.conf and swanctl.conf, respectively. If enabled, the daemon will send a fake NAT_DETECTION_SOURCE_IP notify payload so it looks to the peer as if there is a NAT situation.

https://wiki.strongswan.org/projects/strongswan/wiki/NatTraversal

There are occasional cases where something in the path does things like limit/police ESP traffic but not UDP, among other things. It would be nice to be able to force NAT-T encapsulation on IKEv2.

Screenshot from 2019-10-12 22-53-09.png (42.4 KB) Screenshot from 2019-10-12 22-53-09.png NAT_DETECTION_SOURCE_IP on P1 init Viktor Gurov, 10/12/2019 02:56 PM

Associated revisions

Revision 9c4f5b95 (diff)
Added by Jim Pingle 3 months ago

Allow NAT-T to be set with IKEv2. Fixes #9695

Revision b404e665 (diff)
Added by Jim Pingle 3 months ago

Allow NAT-T to be set with IKEv2. Fixes #9695

(cherry picked from commit 9c4f5b95eed5534ab797f104ad9f687359bd4818)

History

#1 Updated by Jim Pingle 3 months ago

  • Assignee set to Jim Pingle
  • Target version set to 2.5.0

The code to handle that directive already there in the nat_traversal option but we disable that for IKEv2, looks like that was in #3979

Should be simple to turn back on, just remove the JS lines that hide/show the nat_traversal option:

The strongSwan pages don't seem to imply that doesn't work in IKEv2, so I'm not sure why we disabled them unless they didn't work at the time.

#2 Updated by Jim Pingle 3 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

#3 Updated by Viktor Gurov about 1 month ago

Jim Pingle wrote:

Applied in changeset 9c4f5b95eed5534ab797f104ad9f687359bd4818.

Tested on 2.5.0.a.20191011.1853

# grep forceencap /var/etc/ipsec/ipsec.conf
forceencaps = yes

Works, Resolved

#4 Updated by Jim Pingle about 1 month ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF