nat traversal in ikev1 and ikev2

Discussion:

Jessie Liu

2009-11-13 08:37:51 UTC

Hi all,
I saw in ipsec.conf that nat_traversal configuration is only for IKEv1. why it is non-configured in IKEv2? it should be optional, right? if i want to disable nat traversal in ikev2, what should i do?

Thanks.

___________________________________________________
您的生活即時通－溝通、娛樂、生活、工作一次搞定！
http://messenger.yahoo.com.tw/

Andreas Steffen

2009-11-13 08:45:21 UTC

Permalink

Hi Jessie,

NAT traversal cannot be disabled in the IKEv2 charon daemon.
If you don't like automatic port floating to UDP/4500 due
to the MOBIKE protocol (RFC 4555) which happens even if no
NAT situation exists then you can disable MOBIKE by adding

mobike=no

to ipsec.conf in the connection definition

Regards

Andreas

======================================================================
Andreas Steffen andreas.steffen-***@public.gmane.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

Jessie Liu

2009-11-13 09:46:19 UTC

Permalink

Hi,
I do some tests with two computers connected directly. IKE_AUTH message still sends through UDP/4500. why will this happen? ...
thanks. ^_______^

--- 09/11/13 (五)，Andreas Steffen <***@strongswan.org> 寫道：

寄件者: Andreas Steffen <***@strongswan.org>
主旨: Re: [strongSwan] nat traversal in ikev1 and ikev2
收件者: "Jessie Liu" <***@yahoo.com.tw>
副本: ***@lists.strongswan.org
日期: 2009年11月13日,五,下午4:45

Hi Jessie,

NAT traversal cannot be disabled in the IKEv2 charon daemon.
If you don't like automatic port floating to UDP/4500 due
to the MOBIKE protocol (RFC 4555) which happens even if no
NAT situation exists then you can disable MOBIKE by adding

mobike=no

to ipsec.conf in the connection definition

Regards

Andreas

======================================================================
Andreas Steffen ***@strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

___________________________________________________
您的生活即時通－溝通、娛樂、生活、工作一次搞定！
http://messenger.yahoo.com.tw/

Andreas Steffen

2009-11-13 09:56:10 UTC

Permalink

Hi Jessie,

UDP/4500 shouldn't be used if

1) MOBIKE is disabled (mobike=no)

2) No NAT situation is detected via the N(NATD_S_IP)/N(NATD_D_IP)
hash payloads.

See our strongSwan example scenario with directly connected gateways
and disabled MOBIKE:

http://www.strongswan.org/uml/testresults43/ikev2/net2net-cert/

As you can see from the log, no floating to UDP/4500 occurs:

http://www.strongswan.org/uml/testresults43/ikev2/net2net-cert/moon.daemon.log

It might be that your gateway either does not compute the
N(NATD_S_IP)and N(NATD_D_IP) values correctly or enforces
NAT traversal even without an actual NAT situation.

Regards

Andreas

Hi,
I do some tests with two computers connected directly. IKE_AUTH
message still sends through UDP/4500. why will this happen? ...
thanks. ^_______^
寫道：
主旨: Re: [strongSwan] nat traversal in ikev1 and ikev2
日期: 2009年11月13日,五,下午4:45
Hi Jessie,
NAT traversal cannot be disabled in the IKEv2 charon daemon.
If you don't like automatic port floating to UDP/4500 due
to the MOBIKE protocol (RFC 4555) which happens even if no
NAT situation exists then you can disable MOBIKE by adding
mobike=no
to ipsec.conf in the connection definition
Regards
Andreas