[Swan] NAT-Traversal with IPsec transport mode
Paul Wouters
paul at nohats.ca
Thu Sep 9 14:58:09 UTC 2021
On Thu, 9 Sep 2021, Ahmed Sameh wrote:
> Can anyone share an example of NAT-Traversal with IPsec transport mode ?
Your quality of life with improve a lot if you avoid ever using
Transport Mode with NAT. Everyone has moved away from it. Only use
transport mode if you are not affected by NAT.
> I have the following configuration working for normal traffic but not the NATed one.
>
> conn private-or-clear
> auto=ondemand
> type=transport
> authby=rsasig
> failureshunt=passthrough
> negotiationshunt=passthrough
> ikev2=insist
> left=%defaultroute
> leftcert={{ cert_name_pattern }}
> leftid=%fromcert
> leftrsasigkey=%cert
> rightrsasigkey=%cert
> rightid=%fromcert
> right=%opportunisticgroup
Opportunistic Encryption does not support transport mode plus NAT.
It only supports NAT for the initiator, not for the responder.
It might be worth explaining what you are trying to do so we can discuss
different solutions to your problem.
Paul
More information about the Swan
mailing list