[strongSwan-dev] IKEv2: Allow peer to choose between transport xor tunnel mode in presence of NAT

Sebastian Wurst wurstsebastian80 at gmail.com
Wed Jul 10 06:15:36 CEST 2013


Finally IKEv2 (with 5.1.0dr2) supports IPsec transport mode in NAT
presence. Thank you, Martin!

I would like to switch my application that relies on strongSwan to use
IPsec transport mode, but because of compatibility considerations, I can't
simply remove support for legacy IPsec tunnel mode* (i.e. newer application
versions must still be able work with older versions).

Is there a way to configure strongSwan 5.1.0dr2 so that with the same
ipsec.conf template it could always negotiate:
1. IPsec transport mode when peer is using the new strongSwan 5.1.0dr2
2. IPsec tunnel mode when peer is using the old strongSwan 5.0.4 (i.e. as a
fallback mechanism)

Do I really need two conn templates in ipsec.conf file (one for transport
mode and one for tunnel mode)?
If so, then how do I tell strongSwan to chose transport mode over tunnel
mode when both applications are using the new strongSwan 5.1.0dr2?

My application is also implemented in P2P fashion. All it receives is
remote IP address and credentials (it does not receive peer's strongSwan
version). Also ipsec.conf is symmetric and both sides can initiate IPsec.

Thank You,


*Currently, I have implemented IPsec tunnel mode so that the peer that is
behind the NAT installs
1. iptables rule that SNATs packets from its local IP address to the public
IP address and
2. iptables rule that DNATs packets from the public IP address to its local
IP address.
Something like emulating transport mode on top of tunnel mode. These
iptables rules are inserted from updown script.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20130709/be62b89f/attachment.html>

More information about the Dev mailing list