Mukesh, I believe the idea is that for IPv6, NAT will not be needed (that's the beauty of having so much address space!).
Technically, sure, you could NAT IPv6. But why? /Ryan From: Mukesh Yadav <[email protected]<mailto:[email protected]>> Date: Wednesday, April 15, 2015 at 9:56 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: [strongSwan] Query reg UDP encapsulation for IPv6 HI, My question is more towards IKEv2 standard rather strongswan explicitly. UDP encasulation is used for NATT traversal in IPsec for both ESP/IKE. RFC 5996, says even if NATT is not detection sending IKE/ESP on 4500 is optional but receiving should be handled. RFC 5666 reference: "When either side is using port 4500, sending ESP with UDP encapsulation is not required, but understanding received UDP-encapsulated ESP packets is required" Having said that this all fine for IPv4, but for IPv6 is it possible that NATT is not detection and still IKE/ESP exchanges are done on port 4500 as UDP encapsulated. One reference from RFC I can is below which says that IKE/ESP can always be on port 4500 even if NAT not detected, but not clear whether same is applicable for IPv6 as well. " IKEv2 will use UDP encapsulation of IKE and ESP packets. This encoding is slightly less efficient but is easier for NATs to process. In addition, firewalls may be configured to pass UDP-encapsulated IPsec traffic but not plain, unencapsulated ESP/AH or vice versa." Any opinion or suggestion for same will appreciated. Thanks Mukesh
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
