[strongSwan] Force UDP Encapsulation in 5.0.4?

Andreas Steffen andreas.steffen at strongswan.org
Mon Jul 8 09:08:23 CEST 2013


Hmm, the formulation was rather ambiguous. I changed it to

   Not supported for IKEv1 connections prior to 5.0.0

Support for IKEv2 has always been available.

Regards

Andreas

On 08.07.2013 06:45, Dan Cook wrote:
> Andreas,
>
> It is on the Wiki for the ConnSection:
> http://wiki.strongswan.org/projects/strongswan/wiki/ConnSection
>
>      forceencaps = yes | no
>
>      force UDP encapsulation for ESP packets even if no NAT situation
> is detected.
>      This may help to surmount restrictive firewalls. In order to force
> the peer to
>      encapsulate packets, NAT detection payloads are faked.
>      Only supported for IKEv2 prior to 5.0.0.
>
> Dan
>
> On Sun, Jul 7, 2013 at 9:34 PM, Andreas Steffen
> <andreas.steffen at strongswan.org> wrote:
>> Hi Dan,
>>
>> where did you read that? I don't see any "prior" in the current
>> ipsec.conf man page.
>>
>> Regards
>>
>> Andreas
>>
>> On 07/08/2013 06:27 AM, Dan Cook wrote:
>>> Funny.  I just found that out as your email arrived.
>>>
>>> I didn't try it initially because the docs say "prior" to 5.0.0.
>>> e.g.  "Only supported for IKEv2 prior to 5.0.0."
>>> I hope that is just a typo and it is fully supported in 5.0 going forward.
>>> Amazon does not route ESP packets so this is the only way to do
>>> transport mode in the same data center.
>>>
>>> Thanks for the help,
>>> Dan
>>>
>>>
>>> On Sun, Jul 7, 2013 at 8:58 PM, Andreas Steffen
>>> <andreas.steffen at strongswan.org> wrote:
>>>> Hi Dan,
>>>>
>>>> in the connection definition of ipsec.conf add the parameter
>>>>
>>>>    forceencaps=yes
>>>>
>>>> Regards
>>>>
>>>> Andreas
>>>>
>>>> On 07/07/2013 05:04 AM, Dan Cook wrote:
>>>>> I am working in a virtual environment that does not allow ESP traffic.
>>>>>   Is there a way to force strongswan 5.0.4 to use UDP encapsulation of
>>>>> the ESP traffic?   The machines are connected over a non-natted internal
>>>>> network.
>>>>>
>>>>> If this is not possible, can you please advise where in the code I
>>>>> should look to "force" this connection to UDP encapsulation.
>>>>>
>>>>> Thanks,
>>>>> Dan Cook

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4468 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130708/01d50341/attachment.bin>


More information about the Users mailing list