Bug 959568 - Allow disabling of NAT-T keepalive packets
Summary: Allow disabling of NAT-T keepalive packets
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openswan
Version: 6.5
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Paul Wouters
QA Contact: Aleš Mareček
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-05-03 19:56 UTC by Paul Wouters
Modified: 2013-11-21 23:45 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-11-21 23:45:17 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1718 normal SHIPPED_LIVE openswan bug fix and enhancement update 2013-11-20 21:51:39 UTC

Description Paul Wouters 2013-05-03 19:56:48 UTC
Description of problem:
Customer request to allow disabling NAT-T keepalive packet sending. This used to be a global option. This patch turns this into a per-conn option. The default is to send NAT-T keepalives.

This is a backport from libreswan

Comment 4 Paul Wouters 2013-07-18 04:25:12 UTC
QA: to test, add plutodebug=natt to ipsec.conf's "config setup"

Setup an ipsec tunnel. This should either be from a client behind NAT, or the client should fake NAT using forceencaps=yes.

For the connection, add nat_keepalive=no

ipsec auto --status will show "nat_keepalive: no"

Bring the connection up. It will log:

"Suppressing sending of NAT-T KEEP-ALIVE by per-conn configuration (nat_keepalive=no)"

With the option set to "yes", it will log:

"Sending of NAT-T KEEP-ALIVE enabled by per-conn configuration (nat_keepalive=yes)"

Without the option, it will log:

"Sending of NAT-T KEEP-ALIVE forced by global configuration (force_keepalive=yes)"

When either keepalive option is enabled, the logs should show at regular 20 second intervals:

"sending NAT-T Keep Alive"

The logs also show:

| inserting event EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds

| next event EVENT_NAT_T_KEEPALIVE in 20 seconds

When nat_keepalive=no, obviously those log entries should not be happening

Comment 9 errata-xmlrpc 2013-11-21 23:45:17 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1718.html


Note You need to log in before you can comment on or make changes to this bug.