Re: [strongSwan] nat traversal in ikev1 and ikev2

Fri, 13 Nov 2009 01:56:34 -0800 

Hi Jessie,

UDP/4500 shouldn't be used if

  1) MOBIKE is disabled (mobike=no)

  2) No NAT situation is detected via the N(NATD_S_IP)/N(NATD_D_IP)
     hash payloads.

See our strongSwan example scenario with directly connected gateways
and disabled MOBIKE:

http://www.strongswan.org/uml/testresults43/ikev2/net2net-cert/

As you can see from the log, no floating to UDP/4500 occurs:

http://www.strongswan.org/uml/testresults43/ikev2/net2net-cert/moon.daemon.log

It might be that your gateway either does not compute the
N(NATD_S_IP)and N(NATD_D_IP) values correctly or enforces
NAT traversal even without an actual NAT situation.

Regards

Andreas

Jessie Liu wrote:
> Hi,
>    I do some tests with two computers connected directly.  IKE_AUTH
> message still sends through UDP/4500.  why will this happen? ...
> thanks. ^_______^
> 
> --- *09/11/13 (五),Andreas Steffen /<[email protected]>/*
> 寫道:
> 
> 
>     寄件者: Andreas Steffen <[email protected]>
>     主旨: Re: [strongSwan] nat traversal in ikev1 and ikev2
>     收件者: "Jessie Liu" <[email protected]>
>     副本: [email protected]
>     日期: 2009年11月13日,五,下午4:45
> 
>     Hi Jessie,
> 
>     NAT traversal cannot be disabled in the IKEv2 charon daemon.
>     If you don't like automatic port floating to UDP/4500 due
>     to the MOBIKE protocol (RFC 4555) which happens even if no
>     NAT situation exists then you can disable MOBIKE by adding
> 
>       mobike=no
> 
>     to ipsec.conf in the connection definition
> 
>     Regards
> 
>     Andreas
> 
>     NAT Jessie Liu wrote:
>     > Hi all, I saw in ipsec.conf that nat_traversal configuration is only
>     > for IKEv1. why it is non-configured in IKEv2? it should be optional,
>     > right? if i want to disable nat traversal in ikev2, what should i do?
>     >
>     >
>     > Thanks.
> 

======================================================================
Andreas Steffen                         [email protected]
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users

Reply via email to