[Swan] obsolete "nat_traversal" and "forceencaps"?
Paul Wouters
paul at nohats.ca
Mon Aug 28 21:46:17 UTC 2017
On Mon, 28 Aug 2017, Whit Blauvelt wrote:
> https://libreswan.org/wiki/Interoperability
>
> Not working yet. I get these notices in syslog:
>
> Aug 28 ... ipsec_starter[2678]: Warning: ignored obsolete keyword 'nat_traversal'
> Aug 28 ... ipsec_starter[2678]: Warning: obsolete keyword 'forceencaps' ignored
>
> That page says "last modified on 12 April 2017," but apparently the advice
> on using those two keywords has expired. This is with libreswan-3.21.
>
> If I spend the time digging around no doubt I can discover why those
> keywords have been thrown on the trash pile, and what to do to get to the
> same functionality. But it seems odd to have a term as useful and basic as
> "nat_traversal" gone missing, and nothing obvious on the wiki discussing
> this brave new world without it.
>
> Can someone point me in the right direction?
NAT Travesal was an IKEv1 addon. In IKEv2 it is part of the core
specification. Therefor, libreswan no longer runs with nat_traversal=no
and always enables it. The keyword is fully ignored.
forceencaps=yes|no has been replaced with encapsulation=auto|yes|no and
their functionality is slightly different. You should manaully upgrade
your setting. If you had forceencaps=yes, you will probably want
encapsulation=yes, otherwise encapsulation=no. Note that
encapsulation=no will cause no encapsulation even if NAT-T detection
showed it should be used.
I have updated the wiki page. Thanks for letting us know.
Paul
More information about the Swan
mailing list