[strongSwan] IKEv1: Disable NAT traversal

[Prashant Sunkari]

Hi,
  I am using strongswan 5.2.2. I understand through Strongswan documentation 
that there is no explicit way disable NAT-D/NAT-T if I am attempting IKEv1 
IPSec connection. I am assisting in a migration from racoon to Strongswan - 
racoon supports the option to disable nat_traversal. My below config doesn't 
work because client detect NAT-T and starts using 4500 port. I don't have a 
virtual/listener open for 4500 on my gateway/NAT device.  Does anyone know what 
are my options if I have only one virtual/listener on port 500 on my gateway ? 
Or is there a work around which will effectively disable NAT-D/NAT-T for IKEv1.

client ------NAT device - server
10.10.0.2---------------------10.20.0.2
Client
--------
conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1

conn nat-t
        type=tunnel
        ike=aes128-md5-modp1536           #P1: modp1536 = DH group 5
        esp=aes128-sha1                  #P2
        left=%any
        leftcert=sunkariClientCert.pem
        leftid="C=CA, CN=sunkariClient"
        leftfirewall=yes
        right=10.20.0.2
        rightid="C=CA, CN=sunkariServer"
        auto=add

Server
--------
conn %default
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev1

conn nat-t
        type=tunnel
        ike=aes128-md5-modp1536           #P1: modp1536 = DH group 5
        esp=aes128-sha1                   #P2
        left=10.20.0.2
        leftcert=sunkariServerCert.pem
        leftid="C=CA, CN=sunkariServer"
        leftfirewall=yes
        rightsubnet=0.0.0.0/0
        rightid="C=CA, CN=sunkariClient"
        auto=add

Regards,
Prashant


_______________________________________________
Users mailing list
Users@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users