[strongSwan] Is IKEv2 + transport mode + NAT traversal supported?
Andreas Steffen
andreas.steffen at strongswan.org
Tue Oct 5 23:08:49 CEST 2010
Hello,
The IKEv2 charon daemon does not support transport mode in the presence
of a NAT situation. The daemon automatically switches to tunnel mode.
The IKEv1 pluto daemon supports transport mode with NAT only with the
configure option --enable-nat-transport.
Regards
Andreas
On 10/05/2010 10:39 PM, IPSec Interest Group wrote:
> I am trying to activate an IKEv2 transport mode tunnel that traverses a
> NAT. It appears that, rather than sending the transport mode proposal I
> configured, it is instead sending tunnel mode.
> IKEv2 + tunnel mode + NAT works fine. So does IKEv1 + transport mode
> without a NAT on the tunnel path, so I know I definitely have transport
> mode enabled.
>
> Here's the configuration of my connection:
>
> conn NATNone4Tran
> left = 192.168.50.9
> right = 192.168.49.5
> type = transport
> keyexchange = ikev2
> leftid = @natnone4.left.com
> rightid = @natnone4.right.com
> pfs = no
> auto = add
> authby = secret
> esp = 3des-md5
>
>
> When I activate the tunnel, it fails with NO_PROPOSAL_CHOSEN because
> StrongSwan has sent a request for tunnel mode, not transport mode.
> >From the log, it appears this might be intentional:
>
> Oct 5 16:37:14 linux125 charon: 13[IKE] not using transport mode,
> connection NATed
>
> Is the combination of IKEv2 + transport mode + NAT traversal
> supported? If so, can you suggest what I might need to configure
> differently?
> Thank you!
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list