[Swan-dev] Did Libreswan address these two issues with a Cisco IOS peer ??????
Paul Wouters
paul at nohats.ca
Sat Feb 22 23:46:23 EET 2014
On Sat, 22 Feb 2014, Philippe Vouters wrote:
> For the NAT-T payload, it happened, only in RSA mode, that with Cisco IOS
> Version 12.4(25d), the Cisco IOS router accepted NAT-T v03 but, to correctly
> set up the tunnel, one has to force NAT-T v02. Still in RSA mode and with
> Cisco IOS Version 1.4(4)M4, Cisco IOS accepted NAT-T RFC but, to correctly
> set up the tunnel, one has to force NAT-T v03 or NAT-T v02.
>
> In PSK mode, this NAT-T issue was completely transparent whichever the Cisco
> IOS running version.
Interesting.
> So my proposal to Libreswan developers is that instead of a simple
> nat_traversal={yes|no}, the choice for NAT-T is broaden mimicking what Shrew
> proposes the end-user as long as applicable.
That is a global issue, so we cannot extend that one. The option to
cripple the NAT-T negotiation needs to be a per-connection option.
I would say something like natt=rfc|v2|v3 ?
I'm not sure if we do anything different for draft 02 versus draft 03.
Paul
More information about the Swan-dev
mailing list