IPsec NATT: Multiple initiators behind NAT

Riaan Kruger riaank at gmail.com
Fri Sep 25 07:18:22 UTC 2009 

I have a problem with multiple IPsec Gateways behind a single NAT
communicating to one responder (on the other side of the NAT).

The diagram shows a typical set up. (FreeBSD 8 and ipsec-tools 0.7.2)

  GW (Initiator) ----|
                           | --- NAT ----- GW (responder)
  GW (Initiator) ----|

On the responder the SADs get "mixed up" when a second set of SAs are
written to the SAD for the second GW.
The port numbers of the second set of SAs are set to that of the first set
of SAs even though different ones are provided.

I tried to isolate and illustrate the problem using only setkey from the
command line (taken from ipsec-tools)

THE STEPS:
-------------------
setkey.conf:
flush;
add 10.0.0.20[4500] 10.0.0.10[50000] esp-udp 0x2010 -E 3des-cbc
0x123456781234567812345678123456781234567812345000;
add 10.0.0.10[50000] 10.0.0.20[4500] esp-udp 0x1020 -E 3des-cbc
0x123456781234567812345678123456781234567812345000;
add 10.0.0.20[4500] 10.0.0.10[60000] esp-udp 0x2011 -E 3des-cbc
0x123456781234567812345678123456781234567812345111;
add 10.0.0.10[60000] 10.0.0.20[4500] esp-udp 0x1120 -E 3des-cbc
0x123456781234567812345678123456781234567812345111;

setkey -f setkey.conf

THE RESULT (SAD as provided by setkey and manually shortened):
--------------------------------------------------------------------------------------------------
10.0.0.10[50000] 10.0.0.20[4500]
    esp-udp mode=any spi=4384(0x00001120) reqid=0(0x00000000)
    E: 3des-cbc  12345678 12345678 12345678 12345678 12345678 12345111
                     :
    sadb_seq=3 pid=1144 refcnt=1
10.0.0.10[50000] 10.0.0.20[4500]
    esp-udp mode=any spi=4128(0x00001020) reqid=0(0x00000000)
    E: 3des-cbc  12345678 12345678 12345678 12345678 12345678 12345000
                    :
    sadb_seq=2 pid=1144 refcnt=1
10.0.0.20[4500] 10.0.0.10[50000]
    esp-udp mode=any spi=8209(0x00002011) reqid=0(0x00000000)
    E: 3des-cbc  12345678 12345678 12345678 12345678 12345678 12345111
                    :
    sadb_seq=1 pid=1144 refcnt=1
10.0.0.20[4500] 10.0.0.10[50000]
    esp-udp mode=any spi=8208(0x00002010) reqid=0(0x00000000)
    E: 3des-cbc  12345678 12345678 12345678 12345678 12345678 12345000
                    :
    sadb_seq=0 pid=1144 refcnt=1

According to my calculations the first SA (with spi 0x00001120) and the
second SA (with spi 0x00002011) should be for port 60000 instead of 500000.
Any idea what is wrong?

I hope it makes sense.

Regards

More information about the freebsd-net mailing list