[strongSwan] Query reg UDP encapsulation for IPv6

Mukesh Yadav write2mukesh84 at gmail.com
Wed Apr 15 15:56:31 CEST 2015


My question is more towards IKEv2 standard rather strongswan explicitly.
UDP encasulation is used for NATT traversal in IPsec for both ESP/IKE.

RFC 5996, says even if NATT is not detection sending IKE/ESP on 4500 is
optional but receiving should be handled.
RFC 5666 reference:
*"When either side is using port 4500, sending ESP with UDP encapsulation
*   not required, but understanding received UDP-encapsulated ESP packets
is required"*

Having said that this all fine for IPv4, but for IPv6 is it possible that
NATT is not detection and still IKE/ESP exchanges are done on port 4500 as
UDP encapsulated.

One reference from RFC I can is below which says that IKE/ESP can always be
on port 4500 even if NAT not detected, but not clear whether same is
applicable for IPv6 as well.
*" IKEv2 will use UDP encapsulation of IKE and ESP packets. This encoding
is slightly less*
*   efficient but is easier for NATs to process.  In addition, firewalls*
*   may be configured to pass UDP-encapsulated IPsec traffic but not plain,
unencapsulated ESP/AH or vice versa."*

Any opinion or suggestion for same will appreciated.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20150415/fee64ec4/attachment.html>

More information about the Users mailing list