Merge tag 'upstream/5.1.2'

Upstream version 5.1.2

1 files changed, 13 insertions, 0 deletions

diff --git a/testing/tests/ikev2/host2host-transport-nat/description.txt b/testing/tests/ikev2/host2host-transport-nat/description.txt
new file mode 100644
index 000000000..6f18a88cd
--- /dev/null
+++ b/testing/tests/ikev2/host2host-transport-nat/description.txt
@@ -0,0 +1,13 @@
+An IPsec <b>transport-mode</b> connection between the natted host <b>alice</b> and gateway <b>sun</b>
+is successfully set up. <b>leftfirewall=yes</b> automatically inserts iptables-based firewall
+rules that let pass the decrypted IP packets. In order to test the host-to-host connection
+<b>alice</b> pings <b>sun</b>.<br/>
+<b>Note:</b> This scenario also demonstrates two problems with transport-mode and NAT traversal:
+<ol>
+<li>The client <b>venus</b> behind the same NAT as client <b>alice</b> is not able to ping <b>sun</b>
+(even with ICMP explicitly allowed there) because the request arrives unencrypted and thus gets
+dropped when the IPsec policies are consulted (increases the <em>XfrmInTmplMismatch</em> counter
+in <em>/proc/net/xfrm_stat</em>).</li>
+<li>A similar issue arises when <b>venus</b> also establishes an IPsec <b>transport-mode</b> connection to
+<b>sun</b>, due to the conflicting IPsec policies <b>sun</b> declines such a connection.</li>
+</ol>