IPsec + L2TP using racoon + mpd5
Ashish SHUKLA
ashish at FreeBSD.org
Mon Sep 20 15:33:14 UTC 2010
Hi everyone,
Few weeks ago, I posted the problem of unable to use IPsec behind
NAT[1]. Thanks to the code in ipsec-tools CVS HEAD, IPSEC_NAT_T kernel option
and mpd5, I was able to use it, on the router and behind NAT without any
issues.
Few days ago, I lost the "behind NAT" configuration of this combo, and forgot
to take backups :(. So, at present I can only use this combo without any
issues on router, but when inside NAT, it fails. This is the same box which
sometimes is used as router, and sometimes gets NATed.
When behind NAT, I can see that IPsec tunnel gets created, and I can see IPsec
ESP traffic flowing in/out over UDP port 4500. But L2TP tunnel never gets
realized, whereas when on router with this same mpd5 configuration, L2TP
tunnel gets created, just fine.
The server is running racoon + OpenL2TP on GNU/Linux using NETKEY
implementation. The other clients in the network including a GNU/Linux box and
a Windows box are able to connect to this L2TP/IPSec tunnel just fine, behind
NAT.
I'm wondering if anyone knows what I might be missing in the configurations
posted below:
1. racoon configuration.
#v+
# racoon-nat.conf
path certificate "/home/abbe/ipsec/ca";
log info;
listen {
adminsock "/var/db/racoon/racoon.sock" "root" "operator" 0660;
}
remote XXX.XXX.XXX.XXX {
exchange_mode main;
my_identifier asn1dn;
certificate_type x509 "user.pem" "user.key";
proposal_check obey;
verify_identifier on;
verify_cert on;
script "/home/user/ipsec/tunnel-up.sh" phase1_up;
script "/home/user/ipsec/tunnel-down.sh" phase1_down;
nat_traversal on;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig;
dh_group modp1024;
}
}
sainfo anonymous {
lifetime time 28800 sec;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
#v-
2. racoon tunnel-up script
#v+
#!/bin/sh
# tunnel-up.sh
/sbin/setkey -c <<EOF
flush;
spdflush;
# Make sure L2TP traffic goes over IPsec
spdadd ${LOCAL_ADDR}[0] ${REMOTE_ADDR}[1701] any
-P out ipsec esp/transport//require ;
spdadd ${REMOTE_ADDR}[1701] ${LOCAL_ADDR}[0] any
-P in ipsec esp/transport//require ;
# Required for NAT
spdadd ${LOCAL_ADDR}[0] ${REMOTE_ADDR}[4500] any
-P out ipsec esp/transport//require ;
spdadd ${REMOTE_ADDR}[4500] ${LOCAL_ADDR}[0] any
-P in ipsec esp/transport//require ;
# Required for non-NAT
spdadd ${LOCAL_ADDR}[500] ${REMOTE_ADDR}[500] any
-P out ipsec esp/transport//require ;
spdadd ${REMOTE_ADDR}[500] ${LOCAL_ADDR}[500] any
-P in ipsec esp/transport//require ;
EOF
exit 0
#v-
3. mpd5 script
#v+
default:
load l2tp
l2tp:
create bundle static l2tp
create link static L2 l2tp
set link action bundle l2tp
set link keep-alive 10 60
set link mtu 1460
set l2tp peer XXX.XXX.XXX.XXX
set auth authname user
set link max-redial 0
open
#v-
References:
[1] http://www.mail-archive.com/freebsd-net@freebsd.org/msg34087.html
Thanks in advance.
--
Ashish SHUKLA | GPG: F682 CDCC 39DC 0FEA E116 20B6 C746 CFA9 E74F A4B0
freebsd.org!ashish | http://people.freebsd.org/~ashish/
Avoid Success At All Costs !!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-net/attachments/20100920/b3600e85/attachment.pgp
More information about the freebsd-net
mailing list