IPSec: migrate no longer available options from CLI which are now hardcoded/enabled in strongSwan
Options which are no longer available in strongSwan and should be removed from the CLI are:
- set vpn ipsec nat-traversal enable
- set vpn ipsec nat-networks allowed-network
- remove VTI interfaces not referenced in VPN config instead of a warning: https://github.com/vyos/vyatta-cfg-system/blob/crux/templates/interfaces/vti/node.def#L14
Before strongSwan 5.0.0, NAT discovery and traversal for IKEv1 had to be enabled by setting nat_traversal=yes in the config setup section of ipsec.conf. Otherwise, strongSwan 4.x's IKEv1 pluto daemon would not accept incoming IKE packets with a UDP source port different from 500. Since 5.0.0 IKEv1 traffic is handled by the charon daemon, which supports NAT traversal according to RFC 3947 (and some of its early drafts) without having to enable it explicitly (it can't be disabled either, though).
VyOS 1.3 reports:
Jun 6 11:10:34 AC1 ipsec_starter: # deprecated keyword 'nat_traversal' in config setup Jun 6 11:10:34 AC1 ipsec_starter: # deprecated keyword 'virtual_private' in config setup