NAT Traversal (NAT-T) » History » Version 4
Tobias Brunner, 04.05.2011 14:04
| 1 | 2 | Martin Willi | h1. NAT Traversal |
|---|---|---|---|
| 2 | 1 | Martin Willi | |
| 3 | 2 | Martin Willi | |
| 4 | 2 | Martin Willi | |
| 5 | 2 | Martin Willi | h2. IKEv1 |
| 6 | 1 | Martin Willi | |
| 7 | 4 | Tobias Brunner | NAT discovery and traversal must be enabled by setting *nat_traversal=yes* in the [[ConfigSetupSection|config setup]] section of [[IpsecConf|ipsec.conf]]. Otherwise strongSwan's IKEv1 pluto daemon will not accept incoming IKE packets with a UDP source port different from 500. |
| 8 | 2 | Martin Willi | |
| 9 | 2 | Martin Willi | h2. IKEv2 |
| 10 | 1 | Martin Willi | |
| 11 | 4 | Tobias Brunner | The IKEv2 protocol includes NAT traversal in the core standard, but it's optional to implement. strongSwan implements it, and there is no configuration involved. The NAT_DETECTION_SOURCE/DESTINATION_IP notifications included in IKE_SA_INIT exchange indicates the peers NAT-T capability and if a NAT situation is detected, UDP encapsulation is activated for IPsec. |
| 12 | 3 | Andreas Steffen | |
| 13 | 3 | Andreas Steffen | strongSwan starts sending keep-alive packets if it is behind a NAT router to keep the mappings on the NAT device intact. |