Support for IPSec NAT-T in transoprt mode

Andreas Longwitz longwitz at incore.de
Tue Apr 24 20:10:10 UTC 2012 

I run FreeBSD 8.2, ipsec-tools-0.8.0_2 and mpd-5.5.
To get NATed VPN clients working through L2TP/IPSec I use the patches
given in kern/146190 for the files esp_var.h, ipsec.c, ipsec_input.c
(only the "Ignore checksum" part) and xform_esp.c. Further the following
patch:

--- key.c.1st   2011-09-29 10:39:44.000000000 +0200
+++ key.c       2012-04-24 21:40:55.000000000 +0200
@@ -1312,11 +1312,14 @@
                        continue;
                if (key_cmpspidx_exactly(spidx, &sp->spidx)) {
                        SP_ADDREF(sp);
-                       break;
+                       SPTREE_UNLOCK();
+                       goto found;
                }
        }
        SPTREE_UNLOCK();
+       return NULL;

+   found:
        return sp;
 }

@@ -2967,11 +2970,15 @@
        LIST_FOREACH(sah, &V_sahtree, chain) {
                if (sah->state == SADB_SASTATE_DEAD)
                        continue;
-               if (key_cmpsaidx(&sah->saidx, saidx, CMP_REQID))
-                       break;
+               if (key_cmpsaidx(&sah->saidx, saidx, CMP_REQID)) {
+                       SAHTREE_UNLOCK();
+                       goto found;
+               }
        }
        SAHTREE_UNLOCK();
+       return NULL;

+   found:
        return sah;
 }

@@ -4064,10 +4071,12 @@
                /*
                 * If NAT-T is enabled, check ports for tunnel mode.
                * Do not check ports if they are set to zero in the SPD.
-                * Also do not do it for transport mode, as there is no
+                * Also do not do it for native transport mode, as there
is no
                 * port information available in the SP.
                 */
-               if (saidx1->mode == IPSEC_MODE_TUNNEL &&
+               if ((saidx1->mode == IPSEC_MODE_TUNNEL ||
+                   (saidx1->mode == IPSEC_MODE_TRANSPORT &&
+                   saidx1->proto == IPPROTO_ESP)) &&
                    saidx1->src.sa.sa_family == AF_INET &&
                    saidx1->dst.sa.sa_family == AF_INET &&

Then a NATed FreeBSD or Android client works fine with L2TP/IPSec (PSK
or certificate), also every iPhone with L2TP/IPSec (PSK). I don't know
if we can handle the server side of Cisco IPSEC used by Apple for
certificates on the iphone. Hints are very welcome.

There is one limitation I would like to get over. From man 8 setkey:
System that do not perform the port check cannot support multiple
endpoints behind the same NAT. I think this is a FreeBSD kernel restriction:
For the first incoming L2TP packet the IPSEC part of the kernel does not
save the source port in the corresponding SA (maybe a field like
natt_l2tp_port). So the kernel does for outgoing L2TP packets not know
the correct SA, if two ore more SA's with the same IP exists.

I would like to know if the patch mentioned in this thread adresses this
problem.


-- 
Dr. Andreas Longwitz

Data Service GmbH
Beethovenstr. 2A
23617 Stockelsdorf
Amtsgericht Lübeck, HRB 318 BS
Geschäftsführer: Wilfried Paepcke, Dr. Andreas Longwitz, Josef Flatau

More information about the freebsd-stable mailing list