Re: [Swan-dev] Did Libreswan address these two issues with a Cisco IOS peer ??????

Sun, 23 Feb 2014 12:48:06 -0800

For NAT-T along with my changes (NAT-T v02 and v03), Shrew's qikea now proposes in one pull-down menu: {disable | enable | force-draft | force-natv02 | force-natv03 | force-rfc | force-cisco-udp }. I do not know whether the Shrew code owner wouldn't like to rename force-nat{v02 | v03} (my work) to force-{v02 | v03} as this pull-down menu is specific to a 'Nat Traversal' configuration.
If there is an intent to render the end-user task even more complex by always adding new options to ipsec configurations, perhaps it would be time to design a GUI tool with a purpose analog to Shrew's qikea in respect to Shrew's site entries (located in ~/.ike/sites/*) to assist the end-user in correctly configuring pluto. This would make Libreswan more user-friendly which it becomes less and less over releases. 

Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:vout...@sip.linphone.org

On 02/22/2014 10:46 PM, Paul Wouters wrote:

On Sat, 22 Feb 2014, Philippe Vouters wrote:


For the NAT-T payload, it happened, only in RSA mode, that with Cisco 
IOS Version 12.4(25d), the Cisco IOS router accepted NAT-T v03 but, 
to correctly set up the tunnel, one has to force NAT-T v02. Still in 
RSA mode and with Cisco IOS Version 1.4(4)M4, Cisco IOS accepted 
NAT-T RFC but, to correctly set up the tunnel, one has to force NAT-T 
v03 or NAT-T v02.



In PSK mode, this NAT-T issue was completely transparent whichever 
the Cisco IOS running version.


Interesting.


So my proposal to Libreswan developers is that instead of a simple 
nat_traversal={yes|no}, the choice for NAT-T is broaden mimicking 
what Shrew proposes the end-user as long as applicable.


That is a global issue, so we cannot extend that one. The option to
cripple the NAT-T negotiation needs to be a per-connection option.

I would say something like natt=rfc|v2|v3 ?

I'm not sure if we do anything different for draft 02 versus draft 03.


Paul



_______________________________________________
Swan-dev mailing list
Swan-dev@lists.libreswan.org
https://lists.libreswan.org/mailman/listinfo/swan-dev






















					Reply via email to