Project

General

Profile

Actions

Feature #9695

closed

Add Ability to Force NAT-T Encapsulation on IKEv2 Peers

Added by Chris Linstruth over 5 years ago. Updated almost 5 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
08/22/2019
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:

Description

The strongswan documentation includes:

UDP encapsulation may also be forced, even if no NAT situation is detected, by using the forceencaps and encap options in ipsec.conf and swanctl.conf, respectively. If enabled, the daemon will send a fake NAT_DETECTION_SOURCE_IP notify payload so it looks to the peer as if there is a NAT situation.

https://wiki.strongswan.org/projects/strongswan/wiki/NatTraversal

There are occasional cases where something in the path does things like limit/police ESP traffic but not UDP, among other things. It would be nice to be able to force NAT-T encapsulation on IKEv2.


Files

Screenshot from 2019-10-12 22-53-09.png (42.4 KB) Screenshot from 2019-10-12 22-53-09.png NAT_DETECTION_SOURCE_IP on P1 init Viktor Gurov, 10/12/2019 02:56 PM
Actions

Also available in: Atom PDF