[strongSwan] IKEv1: Disable NAT traversal
Prashant Sunkari
P.Sunkari at F5.com
Tue Feb 23 00:27:24 CET 2016
Hi,
I am using strongswan 5.2.2. I understand through Strongswan documentation that there is no explicit way disable NAT-D/NAT-T if I am attempting IKEv1 IPSec connection. I am assisting in a migration from racoon to Strongswan - racoon supports the option to disable nat_traversal. My below config doesn't work because client detect NAT-T and starts using 4500 port. I don't have a virtual/listener open for 4500 on my gateway/NAT device. Does anyone know what are my options if I have only one virtual/listener on port 500 on my gateway ? Or is there a work around which will effectively disable NAT-D/NAT-T for IKEv1.
client ------NAT device - server
10.10.0.2---------------------10.20.0.2
Client
--------
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
conn nat-t
type=tunnel
ike=aes128-md5-modp1536 #P1: modp1536 = DH group 5
esp=aes128-sha1 #P2
left=%any
leftcert=sunkariClientCert.pem
leftid="C=CA, CN=sunkariClient"
leftfirewall=yes
right=10.20.0.2
rightid="C=CA, CN=sunkariServer"
auto=add
Server
--------
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
conn nat-t
type=tunnel
ike=aes128-md5-modp1536 #P1: modp1536 = DH group 5
esp=aes128-sha1 #P2
left=10.20.0.2
leftcert=sunkariServerCert.pem
leftid="C=CA, CN=sunkariServer"
leftfirewall=yes
rightsubnet=0.0.0.0/0
rightid="C=CA, CN=sunkariClient"
auto=add
Regards,
Prashant
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20160222/8f9be65d/attachment.html>
More information about the Users
mailing list