NAT Traversal (NAT-T) » History » Version 4
Version 3 (Andreas Steffen, 23.07.2009 07:51) → Version 4/13 (Tobias Brunner, 04.05.2011 14:04)
h1. NAT Traversal
h2. IKEv1
NAT discovery and traversal must be enabled by setting *nat_traversal=yes* in the [[ConfigSetupSection|config setup]] *config setup* section of [[IpsecConf|ipsec.conf]]. *ipsec.conf*. Otherwise strongSwan's IKEv1 pluto daemon will not accept incoming IKE packets with a UDP source port different from 500.
h2. IKEv2
The IKEv2 protocol includes NAT traversal in the core standard, but it's optional to implement. strongSwan implements it, and there is no configuration involved. The NAT_DETECTION_SOURCE/DESTINATION_IP notifications included in IKE_SA_INIT exchange indicates the peers NAT-T NATT capability and if a NAT situation is detected, UDP encapsulation is activated for IPsec.
strongSwan starts sending keep-alive packets if it is behind a NAT router to keep the mappings on the NAT device intact.
h2. IKEv1
NAT discovery and traversal must be enabled by setting *nat_traversal=yes* in the [[ConfigSetupSection|config setup]] *config setup* section of [[IpsecConf|ipsec.conf]]. *ipsec.conf*. Otherwise strongSwan's IKEv1 pluto daemon will not accept incoming IKE packets with a UDP source port different from 500.
h2. IKEv2
The IKEv2 protocol includes NAT traversal in the core standard, but it's optional to implement. strongSwan implements it, and there is no configuration involved. The NAT_DETECTION_SOURCE/DESTINATION_IP notifications included in IKE_SA_INIT exchange indicates the peers NAT-T NATT capability and if a NAT situation is detected, UDP encapsulation is activated for IPsec.
strongSwan starts sending keep-alive packets if it is behind a NAT router to keep the mappings on the NAT device intact.