[strongSwan] IKEv2: Mobike=no not working
Prashant Sunkari
P.Sunkari at F5.com
Thu Feb 25 20:33:47 CET 2016
Thanks for your quick response Noel. I am testing a scenario where we don't have 4500 port open on intermediate NAT device. I think my options are:
1. Libreswan : which provides configurable parameter - nat-ikeport(default 4500)
2. Use IPsec client which has nat_traversal parameter
a. Older version of strongswan
b. Openswan.
I am wondering if the new age Android and Iphone do the automatic port floating in case of NAT-T. I need to test that.
Regards,
Prashant
-----Original Message-----
From: Noel Kuntze [mailto:noel at familie-kuntze.de]
Sent: Thursday, February 25, 2016 10:13 AM
To: Prashant Sunkari; users at lists.strongswan.org
Subject: Re: [strongSwan] IKEv2: Mobike=no not working
Hello Prashant,
> But the documentation in link below says, we can prevent port
> switching (in any scenario) and doesn't talk about the no NAT detected
> scenario. https://wiki.strongswan.org/projects/strongswan/wiki/MobIke
You're misunderstanding the documentation.
Enabling MOBIKE (or keeping it in the default setting, which is "yes") makes charon try to negotiate mobike support with the other peer and if it is negotiated, float to UDP port 4500 in *any* case, regardless if there is NAT or not.
If you disable MOBIKE, one of the following things can happen:
*There is NAT: charon will enable NAT-T and float to UDP port 4500.
*There is NO NAT: charon will NOT enable NAT-T and NOT float to UDP port 4500.
--
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
More information about the Users
mailing list