Comments (5)
I still think this is a potentially useful feature but you're welcome to close this at your discretion. We've managed get the remote side to permit NAT-T.
from strongswan.
To be honest, I'd rather add an option to disable NAT-T completely.
from strongswan.
consider a use-case where our "server" also sits behind NAT and we'd like to use NAT-T if the remote client is behind NAT, but avoid NAT-T if not (ie, udp 500+4500 as well as all ESP is forwarded from the public address to the masqueraded server in a 1:1 manner).
I do agree that begin able to completely disable NAT-D (And by implication avoid NAT-T) could be useful and desirable too.
from strongswan.
I was not thinking about a global option but rather something like encap = never
. So you could configure that just for a specific connection/client.
But yes, some mode for 1:1 NATs as responder could be interesting. Although, it would be a bit more effort than just using a specific IP for NAT_DETECTION_SOURCE_IP
. We'd have to avoid detecting a NAT ourselves, so we'd have to match the NAT_DETECTION_DESTINATION_IP
value sent by the client against potentially multiple values and then use the determined IP when generating the response. There could also be some changes in regards to MOBIKE.
from strongswan.
Right. So as usual more complex than one thinks unless you know what's really know what's going on.
encap = never (assuming it can be set on a per-peer basis) would solve my original use-case. Probably also the simpler implementation to do.
W.r.t. to the 1:1 NATs, in the specific case I envisioned no traffic except LAN traffic - which in my world won't use IPSec - can reach the server without going through NAT, so an override for whatever the locally detected IP address is would be good enough, but as you rightly say ... that doesn't cover all scenarios.
from strongswan.
Related Issues (20)
- Interrupted VPN communication after some period of time
- ipsec setup two SAs with one config HOT 1
- Wrong route installed on FreeBSD? HOT 10
- Strongswan is dropping IKE_SA_INIT response packets
- network-manager-strongswan fails to build with --with-gtk4 and warnings as errors HOT 2
- strongswan scepclient error parsing distinguished name HOT 8
- DNS is not working with NetworkManager + dnsmasq HOT 3
- two child SAs have same reqid only after DPD loss HOT 9
- Bugfix: Solution - Issue connecting to vici.Session on Windows via Python. HOT 2
- IKEv2 rekey: outbound SPI is not installed in detected CHILD_REKEY collision with CHILD_REKEY with lost packet HOT 6
- The revocation doesn't seem to be working. HOT 2
- Issue with multiple wan interfaces
- Add support for AWS-LC in the openssl plugin HOT 25
- Make fails with ha plugin (Ubuntu 22.04 LTS with stock/unpatched kernel) HOT 6
- Throughput Performance on Gateway-to-Gateway is very low after inserting a rule that accepts packets with a matching IPsec policy in the POSTROUTING chain
- ipsec setup many SAs when rekey_time is less than reauth_time with IKE1 HOT 1
- Reject ECDSA Keys/Certificates With Explicitly Encoded Curve Parameters
- Libsharon crashes (somehow related to ppk_id) HOT 3
- Mobike Port Change unable to add attribute, buffer too small HOT 4
- pki --req --san add support for uri HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from strongswan.