[Openswan Users] disable_port_floating and NAT-T

Paul Wouters paul at xelerance.com
Wed Nov 17 22:30:38 EST 2010

On Wed, 17 Nov 2010, Mark Ryden wrote:

> I tried to set disable_port_floating=yes in ipsec.conf,
> and I saw that the traffic is without UDP encapsulation, even though
> it should have been (I use forceencaps=yes). When I turn
> disable_port_floating=no,
> I get traffic **with** UDP encapsulation ( on port 4500)

The encapsulation happens on the "floated" ports for the newer drafts and rfc.

> My question is : what is the difference between  forceencaps=no and
> disable_port_floating=yes? Or to put my question more accurately: what is
> disable_port_floating=yes for ? when should I use it ? is
> there any difference from functional point of view between disabling
> nat traversal by nat_traversal=no and disabling nat traversal by
> disable_port_floating=yes?

I guess disable_port_floating really makes no sense these days, though note
that it is a "config setup" item, so a global setting, where forceencaps=
is a per conn setting.

I don't know of a scenario where you would want disable_port_floating=yes
(if you don't want nat-t at all you'd use nat_traversal=no)


More information about the Users mailing list