Hi Ryan, Definitely NAT is not needed in case of IPv6 tunnel end-points. But RFC 5996 doesn't clearly say something about it. Also there mentioned a use-case in RFC-5996 where firewalls might have been configured for only UDP(port based) traffic to by-pass. In that case peer might be using UDP-encapsulation for IPv6 tunnel even if NATT is not detected..
Thanks Mukesh On 15 April 2015 at 19:45, Ruel, Ryan <[email protected]> wrote: > Mukesh, > > I believe the idea is that for IPv6, NAT will not be needed (that's the > beauty of having so much address space!). > > Technically, sure, you could NAT IPv6. But why? > > /Ryan > > From: Mukesh Yadav <[email protected]> > Date: Wednesday, April 15, 2015 at 9:56 AM > To: "[email protected]" <[email protected]> > Subject: [strongSwan] Query reg UDP encapsulation for IPv6 > > HI, > > My question is more towards IKEv2 standard rather strongswan explicitly. > UDP encasulation is used for NATT traversal in IPsec for both ESP/IKE. > > RFC 5996, says even if NATT is not detection sending IKE/ESP on 4500 is > optional but receiving should be handled. > RFC 5666 reference: > *"When either side is using port 4500, sending ESP with UDP encapsulation > is* > * not required, but understanding received UDP-encapsulated ESP packets > is required"* > > Having said that this all fine for IPv4, but for IPv6 is it possible > that NATT is not detection and still IKE/ESP exchanges are done on port > 4500 as UDP encapsulated. > > One reference from RFC I can is below which says that IKE/ESP can always > be on port 4500 even if NAT not detected, but not clear whether same is > applicable for IPv6 as well. > *" IKEv2 will use UDP encapsulation of IKE and ESP packets. This encoding > is slightly less* > * efficient but is easier for NATs to process. In addition, firewalls* > * may be configured to pass UDP-encapsulated IPsec traffic but not > plain, unencapsulated ESP/AH or vice versa."* > > Any opinion or suggestion for same will appreciated. > > Thanks > Mukesh >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
