Red Hat Bugzilla – Bug 959568
Allow disabling of NAT-T keepalive packets
Last modified: 2013-11-21 18:45:17 EST
Description of problem: Customer request to allow disabling NAT-T keepalive packet sending. This used to be a global option. This patch turns this into a per-conn option. The default is to send NAT-T keepalives. This is a backport from libreswan
QA: to test, add plutodebug=natt to ipsec.conf's "config setup" Setup an ipsec tunnel. This should either be from a client behind NAT, or the client should fake NAT using forceencaps=yes. For the connection, add nat_keepalive=no ipsec auto --status will show "nat_keepalive: no" Bring the connection up. It will log: "Suppressing sending of NAT-T KEEP-ALIVE by per-conn configuration (nat_keepalive=no)" With the option set to "yes", it will log: "Sending of NAT-T KEEP-ALIVE enabled by per-conn configuration (nat_keepalive=yes)" Without the option, it will log: "Sending of NAT-T KEEP-ALIVE forced by global configuration (force_keepalive=yes)" When either keepalive option is enabled, the logs should show at regular 20 second intervals: "sending NAT-T Keep Alive" The logs also show: | inserting event EVENT_NAT_T_KEEPALIVE, timeout in 20 seconds | next event EVENT_NAT_T_KEEPALIVE in 20 seconds When nat_keepalive=no, obviously those log entries should not be happening
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1718.html