NAT Traversal (NAT-T) » History » Version 3

Andreas Steffen, 23.07.2009 07:51
Added IKEv1 NAT traversal configuration

1 2 Martin Willi
h1. NAT Traversal
2 1 Martin Willi
3 2 Martin Willi
4 2 Martin Willi
5 2 Martin Willi
h2. IKEv1
6 1 Martin Willi
7 3 Andreas Steffen
NAT discovery and traversal must be enabled by setting *nat_traversal=yes* in the *config setup* section of *ipsec.conf*. Otherwise strongSwan's IKEv1 pluto daemon will not accept incoming IKE packets with a UDP source port different from 500.
8 2 Martin Willi
9 2 Martin Willi
h2. IKEv2
10 1 Martin Willi
11 2 Martin Willi
The IKEv2 protocol includes NAT traversal in the core standard, but it's optional to implement. strongSwan implements it, and there is no configuration involved. The NAT_DETECTION_SOURCE/DESTINATION_IP notifications included in IKE_SA_INIT indicates the peers NATT capability and if a NAT situation is detected, UDP encapsulation is activated for IPsec.
12 3 Andreas Steffen
13 3 Andreas Steffen
strongSwan starts sending keep-alive packets if it is behind a NAT router to keep the mappings on the NAT device intact.