Description of problem:
Customer request to allow disabling NAT-T keepalive packet sending. This used to be a global option. This patch turns this into a per-conn option. The default is to send NAT-T keepalives.
This is a backport from libreswan
QA: to test, add plutodebug=natt to ipsec.conf's "config setup"
Setup an ipsec tunnel. This should either be from a client behind NAT, or the client should fake NAT using forceencaps=yes.
For the connection, add nat_keepalive=no
ipsec auto --status will show "nat_keepalive: no"
Bring the connection up. It will log:
"Suppressing sending of NAT-T KEEP-ALIVE by per-conn configuration (nat_keepalive=no)"
With the option set to "yes", it will log:
"Sending of NAT-T KEEP-ALIVE enabled by per-conn configuration (nat_keepalive=yes)"
Without the option, it will log:
"Sending of NAT-T KEEP-ALIVE forced by global configuration (force_keepalive=yes)"
When either keepalive option is enabled, the logs should show at regular 20 second intervals:
"sending NAT-T Keep Alive"
The logs also show:
| inserting event EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds
| next event EVENT_NAT_T_KEEPALIVE in 20 seconds
When nat_keepalive=no, obviously those log entries should not be happening
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.