Project

General

Profile

NAT Traversal (NAT-T) » History » Version 4

Tobias Brunner, 04.05.2011 14:04

1 2 Martin Willi
h1. NAT Traversal
2 1 Martin Willi
3 2 Martin Willi
4 2 Martin Willi
5 2 Martin Willi
h2. IKEv1
6 1 Martin Willi
7 4 Tobias Brunner
NAT discovery and traversal must be enabled by setting *nat_traversal=yes* in the [[ConfigSetupSection|config setup]] section of [[IpsecConf|ipsec.conf]]. Otherwise strongSwan's IKEv1 pluto daemon will not accept incoming IKE packets with a UDP source port different from 500.
8 2 Martin Willi
9 2 Martin Willi
h2. IKEv2
10 1 Martin Willi
11 4 Tobias Brunner
The IKEv2 protocol includes NAT traversal in the core standard, but it's optional to implement. strongSwan implements it, and there is no configuration involved. The NAT_DETECTION_SOURCE/DESTINATION_IP notifications included in IKE_SA_INIT exchange indicates the peers NAT-T capability and if a NAT situation is detected, UDP encapsulation is activated for IPsec.
12 3 Andreas Steffen
13 3 Andreas Steffen
strongSwan starts sending keep-alive packets if it is behind a NAT router to keep the mappings on the NAT device intact.