[strongSwan] Force UDP Encapsulation in 5.0.4?

Dan Cook dan.cook at illum.io
Mon Jul 8 06:45:55 CEST 2013 

Andreas,

It is on the Wiki for the ConnSection:
http://wiki.strongswan.org/projects/strongswan/wiki/ConnSection

    forceencaps = yes | no

    force UDP encapsulation for ESP packets even if no NAT situation
is detected.
    This may help to surmount restrictive firewalls. In order to force
the peer to
    encapsulate packets, NAT detection payloads are faked.
    Only supported for IKEv2 prior to 5.0.0.

Dan

On Sun, Jul 7, 2013 at 9:34 PM, Andreas Steffen
<andreas.steffen at strongswan.org> wrote:
> Hi Dan,
>
> where did you read that? I don't see any "prior" in the current
> ipsec.conf man page.
>
> Regards
>
> Andreas
>
> On 07/08/2013 06:27 AM, Dan Cook wrote:
>> Funny.  I just found that out as your email arrived.
>>
>> I didn't try it initially because the docs say "prior" to 5.0.0.
>> e.g.  "Only supported for IKEv2 prior to 5.0.0."
>> I hope that is just a typo and it is fully supported in 5.0 going forward.
>> Amazon does not route ESP packets so this is the only way to do
>> transport mode in the same data center.
>>
>> Thanks for the help,
>> Dan
>>
>>
>> On Sun, Jul 7, 2013 at 8:58 PM, Andreas Steffen
>> <andreas.steffen at strongswan.org> wrote:
>>> Hi Dan,
>>>
>>> in the connection definition of ipsec.conf add the parameter
>>>
>>>   forceencaps=yes
>>>
>>> Regards
>>>
>>> Andreas
>>>
>>> On 07/07/2013 05:04 AM, Dan Cook wrote:
>>>> I am working in a virtual environment that does not allow ESP traffic.
>>>>  Is there a way to force strongswan 5.0.4 to use UDP encapsulation of
>>>> the ESP traffic?   The machines are connected over a non-natted internal
>>>> network.
>>>>
>>>> If this is not possible, can you please advise where in the code I
>>>> should look to "force" this connection to UDP encapsulation.
>>>>
>>>> Thanks,
>>>> Dan Cook
>>>
>>> ======================================================================
>>> Andreas Steffen                         andreas.steffen at strongswan.org
>>> strongSwan - the Linux VPN Solution!                www.strongswan.org
>>> Institute for Internet Technologies and Applications
>>> University of Applied Sciences Rapperswil
>>> CH-8640 Rapperswil (Switzerland)
>>> ===========================================================[ITA-HSR]==
>>>
>
>
> --
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>

More information about the Users mailing list