From owner-freebsd-net@FreeBSD.ORG  Fri Sep 25 07:18:22 2009
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6ABE1106566B
	for <freebsd-net@freebsd.org>; Fri, 25 Sep 2009 07:18:22 +0000 (UTC)
	(envelope-from riaank@gmail.com)
Received: from mail-iw0-f181.google.com (mail-iw0-f181.google.com
	[209.85.223.181])
	by mx1.freebsd.org (Postfix) with ESMTP id 35EA88FC12
	for <freebsd-net@freebsd.org>; Fri, 25 Sep 2009 07:18:22 +0000 (UTC)
Received: by iwn11 with SMTP id 11so1394347iwn.3
	for <freebsd-net@freebsd.org>; Fri, 25 Sep 2009 00:18:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:mime-version:received:date:message-id:subject
	:from:to:content-type;
	bh=eSYc57gNekobakWHHTR5JvlsbnIGyXud/jUZf9LTLUY=;
	b=GFp0Jt4uEJvfJfOjB/CWmvlvaZyBZTRc6xlqH148Gd49Z1dWHY2uaclFMLIKsgOI6M
	rm8h8JFgTeh2zONsr+WT8ZOiNGP6slJqj45ko815l8Nqf7SoEEUFostsdgBrd5paRC1S
	5TQg/WUqPZQgoiWPi9YVLofHj0fskQDEld9lE=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=mime-version:date:message-id:subject:from:to:content-type;
	b=nKPJRO+N59QIVE7I4r26cK8rKj9SOHT89cGB88CiC8P9iqWQi/XBO02M3bLohHWNNB
	UXQbO69CTqS5dmzm32YDDi2tt0pmH7b4aMa1ohY5U291dyELU9QrF4cUBW7WI2ilg8dd
	LNGuUHRyvq9z/wl/50ndLVF1Kx2HOLcNtJFWg=
MIME-Version: 1.0
Received: by 10.231.1.22 with SMTP id 22mr9224945ibd.56.1253861330419; Thu, 24 
	Sep 2009 23:48:50 -0700 (PDT)
Date: Fri, 25 Sep 2009 08:48:50 +0200
Message-ID: <85c4b1850909242348o312a0015vf0bf52a141c09f42@mail.gmail.com>
From: Riaan Kruger <riaank@gmail.com>
To: freebsd-net@freebsd.org, Riaan nanoteq <rk@nanoteq.co.za>
Content-Type: text/plain; charset=ISO-8859-1
X-Content-Filtered-By: Mailman/MimeDel 2.1.5
Cc: 
Subject: IPsec NATT: Multiple initiators behind NAT
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Sep 2009 07:18:22 -0000

I have a problem with multiple IPsec Gateways behind a single NAT
communicating to one responder (on the other side of the NAT).

The diagram shows a typical set up. (FreeBSD 8 and ipsec-tools 0.7.2)

  GW (Initiator) ----|
                           | --- NAT ----- GW (responder)
  GW (Initiator) ----|

On the responder the SADs get "mixed up" when a second set of SAs are
written to the SAD for the second GW.
The port numbers of the second set of SAs are set to that of the first set
of SAs even though different ones are provided.

I tried to isolate and illustrate the problem using only setkey from the
command line (taken from ipsec-tools)

THE STEPS:
-------------------
setkey.conf:
flush;
add 10.0.0.20[4500] 10.0.0.10[50000] esp-udp 0x2010 -E 3des-cbc
0x123456781234567812345678123456781234567812345000;
add 10.0.0.10[50000] 10.0.0.20[4500] esp-udp 0x1020 -E 3des-cbc
0x123456781234567812345678123456781234567812345000;
add 10.0.0.20[4500] 10.0.0.10[60000] esp-udp 0x2011 -E 3des-cbc
0x123456781234567812345678123456781234567812345111;
add 10.0.0.10[60000] 10.0.0.20[4500] esp-udp 0x1120 -E 3des-cbc
0x123456781234567812345678123456781234567812345111;

setkey -f setkey.conf

THE RESULT (SAD as provided by setkey and manually shortened):
--------------------------------------------------------------------------------------------------
10.0.0.10[50000] 10.0.0.20[4500]
    esp-udp mode=any spi=4384(0x00001120) reqid=0(0x00000000)
    E: 3des-cbc  12345678 12345678 12345678 12345678 12345678 12345111
                     :
    sadb_seq=3 pid=1144 refcnt=1
10.0.0.10[50000] 10.0.0.20[4500]
    esp-udp mode=any spi=4128(0x00001020) reqid=0(0x00000000)
    E: 3des-cbc  12345678 12345678 12345678 12345678 12345678 12345000
                    :
    sadb_seq=2 pid=1144 refcnt=1
10.0.0.20[4500] 10.0.0.10[50000]
    esp-udp mode=any spi=8209(0x00002011) reqid=0(0x00000000)
    E: 3des-cbc  12345678 12345678 12345678 12345678 12345678 12345111
                    :
    sadb_seq=1 pid=1144 refcnt=1
10.0.0.20[4500] 10.0.0.10[50000]
    esp-udp mode=any spi=8208(0x00002010) reqid=0(0x00000000)
    E: 3des-cbc  12345678 12345678 12345678 12345678 12345678 12345000
                    :
    sadb_seq=0 pid=1144 refcnt=1

According to my calculations the first SA (with spi 0x00001120) and the
second SA (with spi 0x00002011) should be for port 60000 instead of 500000.
Any idea what is wrong?

I hope it makes sense.

Regards