Feature #9695: Add Ability to Force NAT-T Encapsulation on IKEv2 Peers - pfSense - pfSense bugtracker

Actions

Copy link

Feature #9695

closed

Add Ability to Force NAT-T Encapsulation on IKEv2 Peers

Added by Chris Linstruth over 4 years ago. Updated over 4 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Jim Pingle

Category:

IPsec

Target version:

2.4.5

Start date:

08/22/2019

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

Release Notes:

Description

The strongswan documentation includes:

UDP encapsulation may also be forced, even if no NAT situation is detected, by using the forceencaps and encap options in ipsec.conf and swanctl.conf, respectively. If enabled, the daemon will send a fake NAT_DETECTION_SOURCE_IP notify payload so it looks to the peer as if there is a NAT situation.

https://wiki.strongswan.org/projects/strongswan/wiki/NatTraversal

There are occasional cases where something in the path does things like limit/police ESP traffic but not UDP, among other things. It would be nice to be able to force NAT-T encapsulation on IKEv2.

Files

Screenshot from 2019-10-12 22-53-09.png (42.4 KB) Screenshot from 2019-10-12 22-53-09.png

NAT_DETECTION_SOURCE_IP on P1 init

Viktor Gurov, 10/12/2019 02:56 PM

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Feature #9695

Add Ability to Force NAT-T Encapsulation on IKEv2 Peers

Updated by Jim Pingle over 4 years ago

Updated by Jim Pingle over 4 years ago

Updated by Viktor Gurov over 4 years ago

Updated by Jim Pingle over 4 years ago

Updated by Jim Pingle over 4 years ago

Updated by Jim Pingle over 4 years ago

Updated by Chris Linstruth over 4 years ago

Updated by Jim Pingle over 4 years ago