Project

General

Profile

NAT Traversal (NAT-T) » History » Version 5

Tobias Brunner, 16.10.2012 17:29

1 2 Martin Willi
h1. NAT Traversal
2 1 Martin Willi
3 2 Martin Willi
4 2 Martin Willi
h2. IKEv1
5 1 Martin Willi
6 5 Tobias Brunner
Before [[5.0.0]], NAT discovery and traversal had to be enabled by setting _nat_traversal=yes_ in the [[ConfigSetupSection|config setup]] section of [[IpsecConf|ipsec.conf]]. Otherwise strongSwan 4.x's IKEv1 pluto daemon would not accept incoming IKE packets with a UDP source port different from 500. Since [[5.0.0]] IKEv1 traffic is handled by the charon daemon which supports NAT traversal according to "RFC 3947":http://tools.ietf.org/html/rfc3947 without enabling it explicitly.
7 2 Martin Willi
8 1 Martin Willi
h2. IKEv2
9 1 Martin Willi
10 5 Tobias Brunner
The IKEv2 protocol includes NAT traversal in the core standard, but it's optional to implement. strongSwan implements it, and there is no configuration involved. The @NAT_DETECTION_SOURCE/DESTINATION_IP@ notifications included in the @IKE_SA_INIT@ exchange indicate the peers NAT-T capability and if a NAT situation is detected, UDP encapsulation is activated for IPsec.
11 3 Andreas Steffen
12 3 Andreas Steffen
strongSwan starts sending keep-alive packets if it is behind a NAT router to keep the mappings on the NAT device intact.