[Openswan dev] forceencaps

[Dmitriy]

Can anybody implement more original request of forceencaps?

>Michael H. Warfield wrote:
> nat_traversal=no Never
> nat_traversal=yes OK, but not required.
> nat_traversal=me Act like I have a NAT
> nat_traversal=them Act like they have a NAT
> nat_traversal=force Act like NAT_TRAVERSAL_FORCE now (both NAT)

It is good to use foreceencaps per connection but it is also need "never"(or 
deny), "me"(or left),"them"(or right),"both"(or "force") option value (not 
only true or false as now).

Currently may be needed "them" value, becouse:
If we need enforce nat-t (firewall of internet routers problem which can 
drops ESP)  for l2tp windows XP client, then we do:
1. make foreceencaps=yes on server for particular connection (useful)
2. make registry fix. This is becouse in first step we says "OK, SERVER and 
peer is nated" , so default winXP polycy will deny such connection if 
registry has original value
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSec]
"AssumeUDPEncapsulationContextOnSendRule"=dword:00000002

If we can make on server for such connection foreceencaps=them (or right), 
we have no need to make client regestry changes, becouse default windows 
policy allow this and there is no ESP traffic if such configuration enabled.


I think this is require to change all occurence of forceencaps field (and 
type of that field).