IPsec with NAT-T in transport mode dropping all packets?

David Murray freebsd-questions at davidmurray.name
Tue Aug 19 11:44:42 UTC 2008 

Hello again all,

On Thu 7/8/08 1:01 pm, David Murray wrote:

> I'm having a bit of trouble getting IPsec working in transport mode 
> with NAT-T.
>
> Briefly, the background is that I'm trying to configure a FreeBSD box 
> to provide to remote Windows clients with VPN access to the network it 
> sits on.  To that end, I've been trying to construct a solution with 
> the following:
>
>  1)  FreeBSD (RELENG_7_0), kernel built with options IPSEC and 
> IPSEC_NAT_T, and patched with
>  2)  the NAT-T patch at 
> http://vanhu.free.fr/FreeBSD/patch-natt-freebsd7-2008-03-11.diff,
>  3)  ipsec-tools (0.7.0) for racoon for key exchange, and
>  4)  mpd (5.1) for L2TP.
>
> I have two security policy entries in ipsec.conf, intended to encrypt 
> L2TP traffic:
>
>  spdadd 82.16.99.99[1701] 0.0.0.0/0 udp -P out ipsec 
> esp/transport//require;
>  spdadd 0.0.0.0/0 82.16.99.99[1701] udp -P in  ipsec 
> esp/transport//require;
>
> The tricky key negotiation all seems to be working; when I initiate a 
> connection from a Windows client, racoon negotiates security 
> associations (I'm using certificates):
>
>  racoon: INFO: IPsec-SA established: ESP/Transport 
> 195.248.102.183[4500]->82.16.99.99[4500] spi=73448711(0x460bd07)
>  racoon: INFO: IPsec-SA established: ESP/Transport 
> 82.16.99.99[4500]->195.248.102.183[4500] spi=2159874738(0x80bd12b2)
>
> However, mpd's log doesn't show any evidence of a single packet 
> arriving (and the client eventually gives up).

No takers, so I guess this is either a stupid question or a tricky 
question!  Perhaps I should have asked over on freebsd-net@, but I 
presumed to ask here first, since I've got no reason to suspect anything 
other than operator error at the moment.

Perhaps I could try a simpler question: has anyone got a L2TP/IPSec 
roadwarrior-style VPN working where the clients (initiators) are behind NAT?

Since my first post, I've tried initiating a connection from a client 
directly connected to the network I'm trying to VPN in to (so pointless, 
but a way of testing without NAT) and that works just fine, so I can 
provide differences between the logs of a failed and working connection.

Thanks for any hints!


-- 
David Murray

More information about the freebsd-questions mailing list