[Swan-dev] Did Libreswan address these two issues with a Cisco IOS peer ??????
Philippe Vouters
philippe.vouters at laposte.net
Sun Feb 23 22:39:44 EET 2014
For NAT-T along with my changes (NAT-T v02 and v03), Shrew's qikea now
proposes in one pull-down menu: {disable | enable | force-draft |
force-natv02 | force-natv03 | force-rfc | force-cisco-udp }. I do not
know whether the Shrew code owner wouldn't like to rename force-nat{v02
| v03} (my work) to force-{v02 | v03} as this pull-down menu is specific
to a 'Nat Traversal' configuration.
If there is an intent to render the end-user task even more complex by
always adding new options to ipsec configurations, perhaps it would be
time to design a GUI tool with a purpose analog to Shrew's qikea in
respect to Shrew's site entries (located in ~/.ike/sites/*) to assist
the end-user in correctly configuring pluto. This would make Libreswan
more user-friendly which it becomes less and less over releases.
Philippe Vouters (Fontainebleau/France)
URL: http://vouters.dyndns.org/
SIP: sip:Vouters at sip.linphone.org
On 02/22/2014 10:46 PM, Paul Wouters wrote:
> On Sat, 22 Feb 2014, Philippe Vouters wrote:
>
>> For the NAT-T payload, it happened, only in RSA mode, that with Cisco
>> IOS Version 12.4(25d), the Cisco IOS router accepted NAT-T v03 but,
>> to correctly set up the tunnel, one has to force NAT-T v02. Still in
>> RSA mode and with Cisco IOS Version 1.4(4)M4, Cisco IOS accepted
>> NAT-T RFC but, to correctly set up the tunnel, one has to force NAT-T
>> v03 or NAT-T v02.
>>
>> In PSK mode, this NAT-T issue was completely transparent whichever
>> the Cisco IOS running version.
>
> Interesting.
>
>> So my proposal to Libreswan developers is that instead of a simple
>> nat_traversal={yes|no}, the choice for NAT-T is broaden mimicking
>> what Shrew proposes the end-user as long as applicable.
>
> That is a global issue, so we cannot extend that one. The option to
> cripple the NAT-T negotiation needs to be a per-connection option.
>
> I would say something like natt=rfc|v2|v3 ?
>
> I'm not sure if we do anything different for draft 02 versus draft 03.
>
>
> Paul
>
More information about the Swan-dev
mailing list