[Swan] NAT-Traversal with IPsec transport mode

Paul Wouters paul at nohats.ca
Thu Sep 9 14:58:09 UTC 2021

On Thu, 9 Sep 2021, Ahmed Sameh wrote:

> Can anyone share an example of NAT-Traversal with IPsec transport mode ?

Your quality of life with improve a lot if you avoid ever using
Transport Mode with NAT. Everyone has moved away from it. Only use
transport mode if you are not affected by NAT.

> I have the following configuration working for normal traffic but not the NATed one.
> conn private-or-clear
> auto=ondemand
> type=transport
> authby=rsasig
> failureshunt=passthrough
> negotiationshunt=passthrough
> ikev2=insist
> left=%defaultroute
> leftcert={{ cert_name_pattern }}
> leftid=%fromcert
> leftrsasigkey=%cert
> rightrsasigkey=%cert
> rightid=%fromcert
> right=%opportunisticgroup

Opportunistic Encryption does not support transport mode plus NAT.

It only supports NAT for the initiator, not for the responder.

It might be worth explaining what you are trying to do so we can discuss
different solutions to your problem.


More information about the Swan mailing list