Project

General

Profile

Feature #263

Feature Request: NAT-T keepalive interval configuration for IKEv2

Added by Brian Pruss almost 8 years ago. Updated almost 8 years ago.

Status:
Closed
Priority:
Normal
Category:
charon
Target version:
-
Start date:
13.12.2012
Due date:
Estimated time:
Resolution:
Invalid

Description

In Pluto, the interval between NAT-T keepalives was configurable using the keep_alive parameter in the ipsec.conf config setup section. It appears that there is no analogous configuration in Charon.

We believe that there is value in having this configurable. We have found that certain cellular network providers place restrictions on NAT-T traffic, and require the interval between packets to be at least several minutes. Would it be possible to add back the ipsec.conf parameter to set this?

History

#1 Updated by Tobias Brunner almost 8 years ago

We have found that certain cellular network providers place restrictions on NAT-T traffic, and require the interval between packets to be at least several minutes.

I suppose we could add such an option, but how does the above make sense? The actual UDP-encapsulated ESP traffic will not look very different from the keep-alives (other than actually containing data). So would you have to delay normal traffic also? Or does this limitation actually only apply to the (very small) NAT keep-alives?

#2 Updated by Brian Pruss almost 8 years ago

You're correct, of course, in that it would be difficult for an outside observer to tell the difference between NAT-T keep-alives and normal traffic. However, there are certain cases where NAT-T behavior (among many other things) may have to be explicitly disclosed to the carrier personnel in order to get approval from them.

Also, such a parameter may be useful for performance tuning in other power- or bandwidth-restricted cases.

#3 Updated by Tobias Brunner almost 8 years ago

  • Category set to charon
  • Status changed from New to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to Invalid

Also, such a parameter may be useful for performance tuning in other power- or bandwidth-restricted cases.

I can see that. And it turns out it actually is already configurable :-) Just specify the desired interval with charon.keep_alive in strongswan.conf (set it to 0 to disable keep-alives).

#4 Updated by Brian Pruss almost 8 years ago

You are correct. For some reason I wasn't finding it after doing searches on the Wiki or through Google. Sorry for the confusion, and thanks for your time and attention. Vielen Dank!

Also available in: Atom PDF