Date: Wed, 2 May 2012 20:00:24 +0000 From: "Bjoern A. Zeeb" <bzeeb-lists@lists.zabbadoz.net> To: Zmiter <zmiterby@gmail.com> Cc: freebsd-stable@freebsd.org, Andreas Longwitz <longwitz@incore.de> Subject: Re: Support for IPSec NAT-T in transoprt mode Message-ID: <4579CE0F-2318-4FF1-B1EA-1EC69B24B1DF@lists.zabbadoz.net> In-Reply-To: <4FA181E3.9020303@gmail.com> References: <4F970899.2040105@incore.de> <4FA181E3.9020303@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2. May 2012, at 18:50 , Zmiter wrote: > 24.04.2012 23:10, Andreas Longwitz ?????: >> There is one limitation I would like to get over. =46rom man 8 = setkey: >> System that do not perform the port check cannot support multiple >> endpoints behind the same NAT. I think this is a FreeBSD kernel = restriction: >> For the first incoming L2TP packet the IPSEC part of the kernel does = not >> save the source port in the corresponding SA (maybe a field like >> natt_l2tp_port). So the kernel does for outgoing L2TP packets not = know >> the correct SA, if two ore more SA's with the same IP exists. >>=20 >> I would like to know if the patch mentioned in this thread adresses = this >> problem. > Thank you very much for your attention. > I've been testing those patches (actually, without your part) and YES = it's a big problem with clients (Android, Windows Mobile) behind the = same NAT. I cannot find the solution yet, but I'm very interested in it. > So, my Androids is some sort of stupid bricks, they do not send NAT-OA = payloads at phase 2, and ipsec-tools fills the SPD with IPs taken from = IDs. But this is not the correct way. IDs contain LAN (which is behind = the NAT) addresses, and FreeBSD cannot route packets to the IPSec crypto = part. > I've made some quick patching of IPSec tools to get my devices = working, but I don't know if they accomodate to the RFCs and ISAKMP. The = main idea is to take NAT-OAi and NAT-OAr addresses not from IDs when we = are using NAT-T, but from real source and destination addresses of the = server and client NATs. >=20 > Here is my ipsec-tools patch (i've call it patch-zz-local-2.diff and = place at /usr/ports/security/ipsec-tools/files with two other patches = from kern /146190) ... > It differs from that in kern/146190 in one simple thing. I have = problems with the original patch from kern/146190. When there was no = NAT-OAi or NAT-OAr values in the kernel space, checksums was calculated = at 0, but they were not ignored despite of the sysctl = net.inet.esp.esp_ignore_natt_cksum value. The improvement allows to = ignore every checksum in esp packets when = net.inet.esp.esp_ignore_natt_cksum=3D1. Just replying to the last one -- you all need to make sure that this = will work with a double-NAT (both i and r sitting behind a NAT) and not = just i behind a NAT and r sitting there with a globally routable IP. The changes suddenly become a lot more complex. Just my 5cts. /bz --=20 Bjoern A. Zeeb You have to have visions! It does not matter how good you are. It matters what good you do!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4579CE0F-2318-4FF1-B1EA-1EC69B24B1DF>