Hi Anoop, > I would like to know, is it done purpose fully, or am I doing something > wrong with the configuration?
Yes, this is done on purpose. If a NAT is detected, strongSwan as client will not propose transport mode, but switch to tunnel mode instead. Likewise, strongSwan as gateway, will not accept transport mode if a NAT is detected. > Or is it like TRANSPORT Mode + NAT is not supported by IKEv2? No, it is supported, but besides security concerns (see section 5.2. in RFC 3948 [1]) and the fact that RFC 4306 did not specify how exactly it is negotiated (RFC 5996 added a detailed description of the expected behavior in section 2.23.1 [2]) there is no real use case to negotiate IPsec transport mode over a NAT with IKEv2 (whereas in times of IKEv1 it was often used in combination with L2TP). Regards, Tobias [1] http://tools.ietf.org/html/rfc3948#section-5.2 [2] http://tools.ietf.org/html/rfc5996#section-2.23.1 _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
