Discussion:
How can I shutdown the NAT-T feture of IKEv2
weiping deng
2009-10-26 09:02:12 UTC
Permalink
Hi Martin, Hi all,



I have one question:

How can I shutdown the NAT-T feature of IKEv2?

As I known, this feature is opened by default in IKEv2. If I want to
shutdown this feature, How can I do? By configure some item or must modify
code?



Best Regards,

David
Martin Willi
2009-10-26 09:12:30 UTC
Permalink
Hi,
Post by weiping deng
How can I shutdown the NAT-T feature of IKEv2?
As I known, this feature is opened by default in IKEv2. If I want to
shutdown this feature, How can I do? By configure some item or must
modify code?
There is no configuration option for disabling NAT detection, as it
usually does not harm to have it enabled.

To disable it, the best approach is probably to replace the
build/process methods of the ike_natd task, or to not create/queue this
task at all.

Regards
Martin
weiping deng
2009-10-26 09:19:10 UTC
Permalink
Hi Martin,
If I did not select the --enable-NAT-Transport when I compile the
strongswan, .... If NAT-T feature can be shutdown by this above method?

Best Regards,
David,

-----邮件原件-----
发件人: Martin Willi [mailto:***@strongswan.org]
发送时间: 2009年10月26日 17:13
收件人: weiping deng
抄送: 'users'
主题: Re: How can I shutdown the NAT-T feture of IKEv2

Hi,
Post by weiping deng
How can I shutdown the NAT-T feature of IKEv2?
As I known, this feature is opened by default in IKEv2. If I want to
shutdown this feature, How can I do? By configure some item or must
modify code?
There is no configuration option for disabling NAT detection, as it
usually does not harm to have it enabled.

To disable it, the best approach is probably to replace the
build/process methods of the ike_natd task, or to not create/queue this
task at all.

Regards
Martin
Martin Willi
2009-10-26 10:10:03 UTC
Permalink
Hi,
Post by weiping deng
If I did not select the --enable-NAT-Transport when I compile the
strongswan, .... If NAT-T feature can be shutdown by this above method?
This option is for IKEv1 and affects transport mode connections only.
Post by weiping deng
If strongswan default enable this NAT-T feature, and then the
following message parsing will be encountered issues due to the "4
bytes of non-ESP" and port floating RFC3948.
UDP-Encapsulation and other NAT features are enabled only if a NAT was
actually detected. strongSwan always includes NAT detection payloads in
IKE_SA_INIT requests. If your peer does not support NAT traversal, it
will (or should) ignore these payloads and will not include own NAT
detection payloads. If strongSwan does not receive NAT detection
payloads in IKE_SA_INIT, it assumes your peer is not capable of NAT
traversal and will not enable any NAT specific features.

Regards
Martin
weiping deng
2009-10-26 10:34:42 UTC
Permalink
Hi Martin,

Thank you for your detail information.

Best Regards,
David

-----邮件原件-----
发件人: Martin Willi [mailto:***@strongswan.org]
发送时间: 2009年10月26日 18:10
收件人: weiping deng
抄送: 'users'
主题: Re: 答复: How can I shutdown the NAT-T feture of IKEv2

Hi,
Post by weiping deng
If I did not select the --enable-NAT-Transport when I compile the
strongswan, .... If NAT-T feature can be shutdown by this above method?
This option is for IKEv1 and affects transport mode connections only.
Post by weiping deng
If strongswan default enable this NAT-T feature, and then the
following message parsing will be encountered issues due to the "4
bytes of non-ESP" and port floating RFC3948.
UDP-Encapsulation and other NAT features are enabled only if a NAT was
actually detected. strongSwan always includes NAT detection payloads in
IKE_SA_INIT requests. If your peer does not support NAT traversal, it
will (or should) ignore these payloads and will not include own NAT
detection payloads. If strongSwan does not receive NAT detection
payloads in IKE_SA_INIT, it assumes your peer is not capable of NAT
traversal and will not enable any NAT specific features.

Regards
Martin

Daniel Mentz
2009-10-26 09:12:50 UTC
Permalink
Post by weiping deng
How can I shutdown the NAT-T feature of IKEv2?
http://wiki.strongswan.org/wiki/strongswan/ConfigSetupSection

says

"NAT traversal is always being active in IKEv2."

So I guess the answer is that you can't turn it off.

Please explain your motivation for turning it off. Do you expect a more
secure system?

-Daniel
Loading...