patch for IPSEC_NAT_T
Daniil Harun
harunaga at harunaga.ru
Thu Jun 26 10:09:05 UTC 2008
Dear sirs!
Sorry for my bad English! I ask to help me, if you have some spare time.
I'm using the patch for support IPSEC NAT Traversal on FreeBSD 7.0.Will not
work NAT-T with Windows XP in the real situation.
#cd /usr/src/sys
patch < patch-natt-freebsd7-2008-03-11.diff
Kernel config (FreeBSD 7.0):
options IPSEC
options IPSEC_NAT_T
device enc
device crypto
device cryptodev
Racoon config:
listen
{
isakmp 80.85.151.51 [500];
isakmp_natt 80.85.151.51 [4500];
}
timer
{
natt_keepalive 10 sec;
}
remote anonymous
{
exchange_mode main;
my_identifier asn1dn;
certificate_type x509 "ipsec-server.crt" "ipsec-server.key";
peers_certfile "ipsec-client.crt";
passive on;
generate_policy on;
nat_traversal force;
proposal_check obey; # obey, strict, or claim
proposal {
authentication_method rsasig;
encryption_algorithm 3des;
hash_algorithm sha1;
dh_group 2;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 10 min;
encryption_algorithm 3des, rijndael;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
#ipfw show
00001 0 0 allow ip from any to any via enc0
65535 0 0 allow ip from any to any
Configure and apply policies on the windows ipsec.
A host with Windows XP has address 80.85.145.224. A host with FreeBSD
has address 80.85.151.51.
Ping FreeBSD on Windows XP and run tcpdump on FreeBSD.
# tcpdump -npti fxp0 host 80.85.145.224
IP 80.85.145.224.500 > 80.85.151.51.500: isakmp: phase 1 I ident
IP 80.85.151.51.500 > 80.85.145.224.500: isakmp: phase 1 R ident
IP 80.85.145.224.500 > 80.85.151.51.500: isakmp: phase 1 I ident
IP 80.85.151.51.500 > 80.85.145.224.500: isakmp: phase 1 R ident
IP 80.85.145.224.4500 > 80.85.151.51.4500: NONESP-encap: isakmp: phase 1 I
ident[E]
IP 80.85.145.224 > 80.85.151.51: udp IP 80.85.151.51.4500 >
80.85.145.224.4500: NONESP-encap: isakmp: phase 1
R ident[E]
IP 80.85.151.51.4500 > 80.85.145.224.4500: NONESP-encap: isakmp: phase
2/others R inf[E]
IP 80.85.145.224.4500 > 80.85.151.51.4500: NONESP-encap: isakmp: phase
2/others I oakley-quick[E]
IP 80.85.151.51.4500 > 80.85.145.224.4500: NONESP-encap: isakmp: phase
2/others R oakley-quick[E]
IP 80.85.145.224.4500 > 80.85.151.51.4500: UDP-encap:
ESP(spi=0x00a13e8f,seq=0x1), length 76
IP 80.85.145.224.4500 > 80.85.151.51.4500: NONESP-encap: isakmp: phase
2/others I oakley-quick[E]
IP 80.85.145.224.4500 > 80.85.151.51.4500: UDP-encap:
ESP(spi=0x00a13e8f,seq=0x2), length 76
IP 80.85.151.51.4500 > 80.85.145.224.4500: UDP-encap:
ESP(spi=0xa9d7fa75,seq=0x1), length 76
IP 80.85.151.51.4500 > 80.85.145.224.4500: isakmp-nat-keep-alive
IP 80.85.145.224.4500 > 80.85.151.51.4500: UDP-encap:
ESP(spi=0x00a13e8f,seq=0x3), length 76
IP 80.85.151.51.4500 > 80.85.145.224.4500: UDP-encap:
ESP(spi=0xa9d7fa75,seq=0x2), length 76
IP 80.85.145.224.4500 > 80.85.151.51.4500: UDP-encap:
ESP(spi=0x00a13e8f,seq=0x4), length 76
IP 80.85.151.51.4500 > 80.85.145.224.4500: UDP-encap:
ESP(spi=0xa9d7fa75,seq=0x3), length 76
IP 80.85.151.51.4500 > 80.85.145.224.4500: isakmp-nat-keep-alive
# tcpdump -npti enc0
(authentic,confidential): SPI 0x0786ecb5: IP 80.85.145.224 > 80.85.151.51:
ICMP echo request, id 512, seq 4608, length 40
(authentic,confidential): SPI 0x60fa28ee: IP 80.85.151.51 > 80.85.145.224:
ICMP echo reply, id 512, seq 4608, length 40
(authentic,confidential): SPI 0x0786ecb5: IP 80.85.145.224 > 80.85.151.51:
ICMP echo request, id 512, seq 4864, length 40
(authentic,confidential): SPI 0x60fa28ee: IP 80.85.151.51 > 80.85.145.224:
ICMP echo reply, id 512, seq 4864, length 40
(authentic,confidential): SPI 0x0786ecb5: IP 80.85.145.224 > 80.85.151.51:
ICMP echo request, id 512, seq 5120, length 40
(authentic,confidential): SPI 0x60fa28ee: IP 80.85.151.51 > 80.85.145.224:
ICMP echo reply, id 512, seq 5120, length 40
# /usr/local/sbin/setkey -D
80.85.151.51[4500] 80.85.145.224[4500]
esp-udp mode=transport spi=1074885652(0x40117414)
reqid=0(0x00000000)
E: 3des-cbc 2753f418 16ae6b2d 7db165b1 78489da4 84c61b5c 74ba0eab
A: hmac-sha1 8dbb660d 8d461664 db9f2576 b1c51494 24bc72f3
seq=0x00000001 replay=4 flags=0x00000000 state=mature
created: Jun 25 22:33:08 2008 current: Jun 25 22:33:14 2008
diff: 6(s) hard: 900(s) soft: 900(s)
last: Jun 25 22:33:09 2008 hard: 0(s) soft: 0(s)
current: 96(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 1 hard: 0 soft: 0
sadb_seq=1 pid=9531 refcnt=2
80.85.145.224[4500] 80.85.151.51[4500]
esp-udp mode=transport spi=145306844(0x08a934dc) reqid=0(0x00000000)
E: 3des-cbc 236d1e55 e194f00c a18ed711 081baab3 2692c6f5 6607f06e
A: hmac-sha1 74971750 35c1ed4a 7f435f86 b17a4195 7d1aee61
seq=0x00000001 replay=4 flags=0x00000000 state=mature
created: Jun 25 22:33:08 2008 current: Jun 25 22:33:14 2008
diff: 6(s) hard: 900(s) soft: 900(s)
last: Jun 25 22:33:09 2008 hard: 0(s) soft: 0(s)
current: 60(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 1 hard: 0 soft: 0
sadb_seq=0 pid=9531 refcnt=1
# /usr/local/sbin/setkey -DP
80.85.145.224[any] 80.85.151.51[any] any
in ipsec
esp/transport//require
spid=3366 seq=1 pid=9532
refcnt=1
80.85.151.51[any] 80.85.145.224[any] any
out ipsec
esp/transport//require
spid=3367 seq=0 pid=9532
refcnt=1
All works, UDP and TCP traffic passes through IPSEC. Normal working L2TP
over IPSEC.
# /usr/local/sbin/setkey -DP
80.85.145.224[any] 80.85.151.51[1701] udp
in ipsec
esp/transport//require
spid=3368 seq=1 pid=9606
refcnt=1
80.85.151.51[1701] 80.85.145.224[any] udp
out ipsec
esp/transport//require
spid=3369 seq=0 pid=9606
refcnt=1
But when the host is placed over NAT, everything stops working.
After negotiates IKE and key additions to the database SA traffic does not
pass. "tcpdump enc0" shows that traffic is decoded normaly, but then he does
not processed, packets discarded.
Counters ipfw to rule 1 does not grow. At FreeBSD 6.2 I have the same problem
(FAST_IPSEC or KAME IPSEC).
How to fix it? I would be happy to answer any!
--
Best regards, Harun Daniil
More information about the freebsd-net
mailing list