Feature #9695: Add Ability to Force NAT-T Encapsulation on IKEv2 Peers - pfSense - pfSense bugtracker

Actions

Copy link

Feature #9695

closed

Add Ability to Force NAT-T Encapsulation on IKEv2 Peers

Added by Chris Linstruth over 4 years ago. Updated over 4 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Jim Pingle

Category:

IPsec

Target version:

2.4.5

Start date:

08/22/2019

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

Release Notes:

Description

The strongswan documentation includes:

UDP encapsulation may also be forced, even if no NAT situation is detected, by using the forceencaps and encap options in ipsec.conf and swanctl.conf, respectively. If enabled, the daemon will send a fake NAT_DETECTION_SOURCE_IP notify payload so it looks to the peer as if there is a NAT situation.

https://wiki.strongswan.org/projects/strongswan/wiki/NatTraversal

There are occasional cases where something in the path does things like limit/police ESP traffic but not UDP, among other things. It would be nice to be able to force NAT-T encapsulation on IKEv2.

Files

Screenshot from 2019-10-12 22-53-09.png (42.4 KB) Screenshot from 2019-10-12 22-53-09.png

NAT_DETECTION_SOURCE_IP on P1 init

Viktor Gurov, 10/12/2019 02:56 PM

Actions

Copy link

Updated by Jim Pingle over 4 years ago

Assignee set to Jim Pingle
Target version set to 2.5.0

The code to handle that directive already there in the nat_traversal option but we disable that for IKEv2, looks like that was in #3979

Should be simple to turn back on, just remove the JS lines that hide/show the nat_traversal option:

The strongSwan pages don't seem to imply that doesn't work in IKEv2, so I'm not sure why we disabled them unless they didn't work at the time.

Actions

Copy link

Updated by Jim Pingle over 4 years ago

Status changed from New to Feedback
% Done changed from 0 to 100

Applied in changeset 9c4f5b95eed5534ab797f104ad9f687359bd4818.

Actions

Copy link

Updated by Viktor Gurov over 4 years ago

File Screenshot from 2019-10-12 22-53-09.png Screenshot from 2019-10-12 22-53-09.png added

Jim Pingle wrote:

Applied in changeset 9c4f5b95eed5534ab797f104ad9f687359bd4818.

Tested on 2.5.0.a.20191011.1853

# grep forceencap /var/etc/ipsec/ipsec.conf
forceencaps = yes

Works, Resolved

Actions

Copy link

Updated by Jim Pingle over 4 years ago

Status changed from Feedback to Resolved

Actions

Copy link

Updated by Jim Pingle over 4 years ago

Target version changed from 2.5.0 to 2.4.5

Actions

Copy link

Updated by Jim Pingle over 4 years ago

Status changed from Resolved to Feedback

Needs checked and/or tested again on 2.4.5 snapshots

Actions

Copy link

Updated by Chris Linstruth over 4 years ago

Looks good in 2.4.5: WAN udp 172.25.228.9:4500 -> 172.25.228.13:4500 MULTIPLE:MULTIPLE 29 / 29 3 KiB / 3 KiB

Actions

Copy link

Updated by Jim Pingle over 4 years ago

Status changed from Feedback to Resolved

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Feature #9695

Add Ability to Force NAT-T Encapsulation on IKEv2 Peers

Updated by Jim Pingle over 4 years ago

Updated by Jim Pingle over 4 years ago

Updated by Viktor Gurov over 4 years ago

Updated by Jim Pingle over 4 years ago

Updated by Jim Pingle over 4 years ago

Updated by Jim Pingle over 4 years ago

Updated by Chris Linstruth over 4 years ago

Updated by Jim Pingle over 4 years ago