[strongSwan] NAT Traversal - Issues in understanding

Andreas Steffen andreas.steffen at strongswan.org
Thu Jul 21 15:09:27 CEST 2011 

Hello Holger,

it is important to understand that NAT-Traversal is implemented
differently in the IKEv1 pluto and IKEv2 charon daemons, respectively.

IKEv1 pluto
-----------

Since the original IKEv1 standard originally didn't have NAT-T support
and was added later on by RFC 3947 "Negotiation of NAT-Traversal in
the IKE", NAT-T is disabled by default in the pluto daemon and must
explicitly be enabled using the parameter

nat_traversal=yes

With NAT-T enabled, pluto will float to UDP port 4500 starting with
the third IKEv1 Main Mode message exchange if a NAT situation was
detected using the NAT-D payloads during the second message exchange.

IKEv2 charon
------------

The nat_traversal parameter is ignored by the IKEv2 daemon since
NAT detection and ensuing NAT traversal is always active and cannot
be deactivated. What's probably confusing you is the

  mobike=yes

parameter which activates the IKEv2 Mobility and Multihoming Protocol
(RFC 4555 MOBIKE) by default. During the initial negotiation the
IKE_SA_INIT request/response pair is always sent on UDP port 500
but with MOBIKE enabled the port always floats to UDP port 4500
starting with the IKE_AUTH request/response pair even if *no*
NAT situation is detected. If you want IKEv2 to behave in the same
way as IKEv1 then please deactivate MOBIKE with

  mobike=no

Please be aware that a serious NAT-T bug was fixed in strongSwan
4.5.1 and later versions which in the case of a responder sitting
behind a NAT router, caused the host to answer requests sent on
port 4500 on port 500 instead.

Hope this helps!

Kind regards

Andreas

On 07/21/2011 02:38 PM, Holger Metschulat wrote:
> Hi all,
> 
> I have a problem understanding how NAT Traversal is implemented in
> StrongSwan.
> 
> I thought that an IPSEC endpoint which is enabled for NAT Traversal will
> listen on Port 500 and Port 4500. Any IKE negotiation starts on port 500
> first, when a NAT device is detected, the negotiation continues on port
> 4500.
> 
> Playing around with StrongSwan, nat_traversal=no has StrongSwan
> listening only on port 500 (and using port 500 for connections);
> nat_traversal=yes moves the listening port and destination port to 4500.
> This is contrary to what my belief was how NAT Traversal works.
> 
> Can you comment please?
> 
> Regards,
> Holger
> 

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list