https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162019-08-22T12:16:27ZpfSense bugtrackerpfSense - Feature #9695: Add Ability to Force NAT-T Encapsulation on IKEv2 Peershttps://redmine.pfsense.org/issues/9695?journal_id=421122019-08-22T12:16:27ZJim Pingle
<ul><li><strong>Assignee</strong> set to <i>Jim Pingle</i></li><li><strong>Target version</strong> set to <i>2.5.0</i></li></ul><p>The code to handle that directive already there in the nat_traversal option but we disable that for IKEv2, looks like that was in <a class="issue tracker-1 status-3 priority-4 priority-default closed" title="Bug: 2.2 IPsec NAT-T / MOBIKE IKEv2 control (Resolved)" href="https://redmine.pfsense.org/issues/3979">#3979</a></p>
<p>Should be simple to turn back on, just remove the JS lines that hide/show the nat_traversal option:</p>
<ul>
<li><a class="source" href="https://redmine.pfsense.org/projects/pfsense/repository/2/entry/src/usr/local/www/vpn_ipsec_phase1.php#L1034">source:src/usr/local/www/vpn_ipsec_phase1.php#L1034</a></li>
<li><a class="source" href="https://redmine.pfsense.org/projects/pfsense/repository/2/entry/src/usr/local/www/vpn_ipsec_phase1.php#L1041">source:src/usr/local/www/vpn_ipsec_phase1.php#L1041</a></li>
</ul>
<p>The strongSwan pages don't seem to imply that doesn't work in IKEv2, so I'm not sure why we disabled them unless they didn't work at the time.</p> pfSense - Feature #9695: Add Ability to Force NAT-T Encapsulation on IKEv2 Peershttps://redmine.pfsense.org/issues/9695?journal_id=421552019-08-27T12:55:06ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Feedback</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>Applied in changeset <a class="changeset" title="Allow NAT-T to be set with IKEv2. Fixes #9695" href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/9c4f5b95eed5534ab797f104ad9f687359bd4818">9c4f5b95eed5534ab797f104ad9f687359bd4818</a>.</p> pfSense - Feature #9695: Add Ability to Force NAT-T Encapsulation on IKEv2 Peershttps://redmine.pfsense.org/issues/9695?journal_id=426062019-10-12T14:58:21ZViktor Gurov
<ul><li><strong>File</strong> <a href="/attachments/2836">Screenshot from 2019-10-12 22-53-09.png</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/2836/Screenshot%20from%202019-10-12%2022-53-09.png">Screenshot from 2019-10-12 22-53-09.png</a> added</li></ul><p>Jim Pingle wrote:</p>
<blockquote>
<p>Applied in changeset <a class="changeset" title="Allow NAT-T to be set with IKEv2. Fixes #9695" href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/9c4f5b95eed5534ab797f104ad9f687359bd4818">9c4f5b95eed5534ab797f104ad9f687359bd4818</a>.</p>
</blockquote>
<p>Tested on 2.5.0.a.20191011.1853</p>
<pre>
# grep forceencap /var/etc/ipsec/ipsec.conf
forceencaps = yes
</pre>
<p>Works, Resolved</p> pfSense - Feature #9695: Add Ability to Force NAT-T Encapsulation on IKEv2 Peershttps://redmine.pfsense.org/issues/9695?journal_id=426072019-10-12T18:12:27ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li></ul> pfSense - Feature #9695: Add Ability to Force NAT-T Encapsulation on IKEv2 Peershttps://redmine.pfsense.org/issues/9695?journal_id=431642019-12-02T15:54:24ZJim Pingle
<ul><li><strong>Target version</strong> changed from <i>2.5.0</i> to <i>2.4.5</i></li></ul> pfSense - Feature #9695: Add Ability to Force NAT-T Encapsulation on IKEv2 Peershttps://redmine.pfsense.org/issues/9695?journal_id=432702019-12-05T15:12:32ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Resolved</i> to <i>Feedback</i></li></ul><p>Needs checked and/or tested again on 2.4.5 snapshots</p> pfSense - Feature #9695: Add Ability to Force NAT-T Encapsulation on IKEv2 Peershttps://redmine.pfsense.org/issues/9695?journal_id=434272019-12-16T20:50:35ZChris Linstruth
<ul></ul><p>Looks good in 2.4.5: WAN udp 172.25.228.9:4500 -> 172.25.228.13:4500 MULTIPLE:MULTIPLE 29 / 29 3 KiB / 3 KiB</p> pfSense - Feature #9695: Add Ability to Force NAT-T Encapsulation on IKEv2 Peershttps://redmine.pfsense.org/issues/9695?journal_id=434282019-12-16T22:18:25ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li></ul>