[strongSwan] Qn - Strongswan IKEv2 + Transport mode + NAT
Tobias Brunner
tobias at strongswan.org
Mon Oct 8 17:38:30 CEST 2012
Hi Anoop,
> I would like to know, is it done purpose fully, or am I doing something
> wrong with the configuration?
Yes, this is done on purpose. If a NAT is detected, strongSwan as
client will not propose transport mode, but switch to tunnel mode
instead. Likewise, strongSwan as gateway, will not accept transport
mode if a NAT is detected.
> Or is it like TRANSPORT Mode + NAT is not supported by IKEv2?
No, it is supported, but besides security concerns (see section 5.2. in
RFC 3948 [1]) and the fact that RFC 4306 did not specify how exactly it
is negotiated (RFC 5996 added a detailed description of the expected
behavior in section 2.23.1 [2]) there is no real use case to negotiate
IPsec transport mode over a NAT with IKEv2 (whereas in times of IKEv1 it
was often used in combination with L2TP).
Regards,
Tobias
[1] http://tools.ietf.org/html/rfc3948#section-5.2
[2] http://tools.ietf.org/html/rfc5996#section-2.23.1
More information about the Users
mailing list