Hi Graham, > I've looked at the "IPsecStandards" page on the wiki and ticked off > many of the relevant wanted RFCs.
Keep in mind that this is not a list we claim to support, but a list of standards we work with. We support most of them in a certain way, but some not at all yet (e.g. 4806, 5282, 5448 and the multicast standards are not supported). > rfc2709: Security Model with Tunnel-mode IPsec for NAT Domains If I understand correctly, this one talks about using a router doing NAT as an IKE/IPsec endpoint. I can't say anything about compatibility, as it includes other components (i.e. Netfilter on Linux). But probably it is doable to implement a compatible device using strongSwan and the required Netfilter rules. > rfc3715: IPsec-Network Address Translation (NAT) Compatibility This one talks about problems that NAT introduces to IPsec with IKEv1 in mind. IKEv2 solves most of the problems mentioned. Others are worked around by strongSwan (i.e. we do not setup transport mode SAs over NAT to avoid issues with it). > These look like ancient, IPsecv2/IKEv1 informational/optional texts to me. The latter, probably yes. > Can we state that strongSwan complies with them ? I don't think 3715 has any requirements of value these days (it mainly enumerates the problems), but I think we have most of them worked around by the IKEv2 protocol or our implementation. > Or, should we assert that these are obsolete and not relevant ? Is 2709 relevant for your scenario at all? Sorry for not having a yes/no answer to these standards, but I have actually never heard of them and they do not look that relevant to me. Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
