HI, What is behavior when Strong-swan is used for IKE exchange and tunnel end points are IPv6. Does it allow/process UDP-encapsulated Ipv6 packets when NATT is not detected?
Thanks Mukesh On 15 April 2015 at 21:46, Mukesh Yadav <[email protected]> wrote: > Hi Ryan, > > Definitely NAT is not needed in case of IPv6 tunnel end-points. > But RFC 5996 doesn't clearly say something about it. > Also there mentioned a use-case in RFC-5996 where firewalls might have > been configured for only UDP(port based) traffic to by-pass. > In that case peer might be using UDP-encapsulation for IPv6 tunnel even if > NATT is not detected.. > > Thanks > Mukesh > > On 15 April 2015 at 19:45, Ruel, Ryan <[email protected]> wrote: > >> Mukesh, >> >> I believe the idea is that for IPv6, NAT will not be needed (that's the >> beauty of having so much address space!). >> >> Technically, sure, you could NAT IPv6. But why? >> >> /Ryan >> >> From: Mukesh Yadav <[email protected]> >> Date: Wednesday, April 15, 2015 at 9:56 AM >> To: "[email protected]" <[email protected]> >> Subject: [strongSwan] Query reg UDP encapsulation for IPv6 >> >> HI, >> >> My question is more towards IKEv2 standard rather strongswan explicitly. >> UDP encasulation is used for NATT traversal in IPsec for both ESP/IKE. >> >> RFC 5996, says even if NATT is not detection sending IKE/ESP on 4500 is >> optional but receiving should be handled. >> RFC 5666 reference: >> *"When either side is using port 4500, sending ESP with UDP encapsulation >> is* >> * not required, but understanding received UDP-encapsulated ESP packets >> is required"* >> >> Having said that this all fine for IPv4, but for IPv6 is it possible >> that NATT is not detection and still IKE/ESP exchanges are done on port >> 4500 as UDP encapsulated. >> >> One reference from RFC I can is below which says that IKE/ESP can >> always be on port 4500 even if NAT not detected, but not clear whether same >> is applicable for IPv6 as well. >> *" IKEv2 will use UDP encapsulation of IKE and ESP packets. This encoding >> is slightly less* >> * efficient but is easier for NATs to process. In addition, firewalls* >> * may be configured to pass UDP-encapsulated IPsec traffic but not >> plain, unencapsulated ESP/AH or vice versa."* >> >> Any opinion or suggestion for same will appreciated. >> >> Thanks >> Mukesh >> > >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
