NAT Traversal (NAT-T) » History » Version 5
Version 4 (Tobias Brunner, 04.05.2011 14:04) → Version 5/13 (Tobias Brunner, 16.10.2012 17:29)
h1. NAT Traversal
h2. IKEv1
Before [[5.0.0]], NAT discovery and traversal had to must be enabled by setting _nat_traversal=yes_ *nat_traversal=yes* in the [[ConfigSetupSection|config setup]] section of [[IpsecConf|ipsec.conf]]. Otherwise strongSwan 4.x's strongSwan's IKEv1 pluto daemon would will not accept incoming IKE packets with a UDP source port different from 500. Since [[5.0.0]] IKEv1 traffic is handled by the charon daemon which supports NAT traversal according to "RFC 3947":http://tools.ietf.org/html/rfc3947 without enabling it explicitly.
h2. IKEv2
The IKEv2 protocol includes NAT traversal in the core standard, but it's optional to implement. strongSwan implements it, and there is no configuration involved. The @NAT_DETECTION_SOURCE/DESTINATION_IP@ NAT_DETECTION_SOURCE/DESTINATION_IP notifications included in the @IKE_SA_INIT@ IKE_SA_INIT exchange indicate indicates the peers NAT-T capability and if a NAT situation is detected, UDP encapsulation is activated for IPsec.
strongSwan starts sending keep-alive packets if it is behind a NAT router to keep the mappings on the NAT device intact.
h2. IKEv1
Before [[5.0.0]], NAT discovery and traversal had to must be enabled by setting _nat_traversal=yes_ *nat_traversal=yes* in the [[ConfigSetupSection|config setup]] section of [[IpsecConf|ipsec.conf]]. Otherwise strongSwan 4.x's strongSwan's IKEv1 pluto daemon would will not accept incoming IKE packets with a UDP source port different from 500. Since [[5.0.0]] IKEv1 traffic is handled by the charon daemon which supports NAT traversal according to "RFC 3947":http://tools.ietf.org/html/rfc3947 without enabling it explicitly.
h2. IKEv2
The IKEv2 protocol includes NAT traversal in the core standard, but it's optional to implement. strongSwan implements it, and there is no configuration involved. The @NAT_DETECTION_SOURCE/DESTINATION_IP@ NAT_DETECTION_SOURCE/DESTINATION_IP notifications included in the @IKE_SA_INIT@ IKE_SA_INIT exchange indicate indicates the peers NAT-T capability and if a NAT situation is detected, UDP encapsulation is activated for IPsec.
strongSwan starts sending keep-alive packets if it is behind a NAT router to keep the mappings on the NAT device intact.