On Mon, 28 Aug 2017, Whit Blauvelt wrote:
https://libreswan.org/wiki/Interoperability
Not working yet. I get these notices in syslog:
Aug 28 ... ipsec_starter[2678]: Warning: ignored obsolete keyword
'nat_traversal'
Aug 28 ... ipsec_starter[2678]: Warning: obsolete keyword 'forceencaps' ignored
That page says "last modified on 12 April 2017," but apparently the advice
on using those two keywords has expired. This is with libreswan-3.21.
If I spend the time digging around no doubt I can discover why those
keywords have been thrown on the trash pile, and what to do to get to the
same functionality. But it seems odd to have a term as useful and basic as
"nat_traversal" gone missing, and nothing obvious on the wiki discussing
this brave new world without it.
Can someone point me in the right direction?
NAT Travesal was an IKEv1 addon. In IKEv2 it is part of the core
specification. Therefor, libreswan no longer runs with nat_traversal=no
and always enables it. The keyword is fully ignored.
forceencaps=yes|no has been replaced with encapsulation=auto|yes|no and
their functionality is slightly different. You should manaully upgrade
your setting. If you had forceencaps=yes, you will probably want
encapsulation=yes, otherwise encapsulation=no. Note that
encapsulation=no will cause no encapsulation even if NAT-T detection
showed it should be used.
I have updated the wiki page. Thanks for letting us know.
Paul
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
