[strongSwan-dev] IKEv2: Allow peer to choose between transport xor tunnel mode in presence of NAT

Martin Willi martin at strongswan.org
Wed Jul 10 09:05:22 CEST 2013

Hi Sebastian,

> 1. IPsec transport mode when peer is using the new strongSwan 5.1.0dr2
> 2. IPsec tunnel mode when peer is using the old strongSwan 5.0.4 (i.e. as a
> fallback mechanism)

Even if you configure transport mode, 5.1.0 should accept tunnel mode
for that connection. When using transport mode, any client not
supporting it (for example because it detected NAT) just omits the
transport mode notify and the connection uses a tunnel mode fallback.

> Do I really need two conn templates in ipsec.conf file (one for transport
> mode and one for tunnel mode)?

No, you'll need just one having type=transport.


More information about the Dev mailing list