[strongSwan] Missing NAT keep alive packets when forceencaps is set
Lars Alex Pedersen
laa at kamstrup.com
Tue Apr 23 11:54:31 CEST 2019
Got a roadwarrior/client connection where NAT-T isn't auto detected. I tried to solve this by forcing UDP encapsulation using forceencaps=yes and expected that NAT keep alive packets also where sent in order to keep the connection alive. But this doesn't seem to be the case.
Can I enable this behaviour somehow?
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
#charondebug="cfg 4, dmn 4, ike 4, net 4"
charondebug="cfg 1, dmn 2, ike 1"
conn %default
#ikelifetime
lifetime=10800s
margintime=600s
rekey=yes
reauth=no
forceencaps=yes
keyingtries=1
keyexchange=ikev2
type=tunnel
dpdaction=clear
dpddelay=900s
ike=aes256gcm128-sha512-ecp512bp,aes256gcm128-sha512-ecp521!
esp=aes256gcm128-ecp512bp,aes256gcm128-ecp521,aes128gcm128-ecp256bp!
authby=psk
# Configuration notes:
# left = local, right = remote
# leftid/rightid: ID payload exchanged during IKE (certificate: DN or subjectAltName)
# ! in ike and esp only allow specified cypher suites (no NSA downgrade)
# TFC: Traffic Flow Confidentiality
# DPD: Dead Peer Detection
conn omnia
left=x.x.x.x
leftid=myid
leftsourceip=%config
leftfirewall=no
right=x.x.x.x
rightid=something
rightsubnet=x.x.x.x/y
tfc=1280
auto=route
Best regards
Lars Pedersen.
More information about the Users
mailing list