From owner-freebsd-net@FreeBSD.ORG Thu Jun 26 10:09:05 2008 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 029C11065672 for ; Thu, 26 Jun 2008 10:09:05 +0000 (UTC) (envelope-from harunaga@harunaga.ru) Received: from Harunaga.ru (harunaga.ru [80.85.150.78]) by mx1.freebsd.org (Postfix) with ESMTP id 3EA598FC1A for ; Thu, 26 Jun 2008 10:09:04 +0000 (UTC) (envelope-from harunaga@harunaga.ru) Received: from harunaga-pc.chics.ru (CorporateHouse.chics.ru [80.85.151.246]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by Harunaga.ru (Postfix) with ESMTP id 065C6159D88 for ; Thu, 26 Jun 2008 16:09:02 +0600 (YEKST) From: Daniil Harun To: freebsd-net@freebsd.org Date: Thu, 26 Jun 2008 16:09:00 +0600 User-Agent: KMail/1.8.2 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200806261609.01289.harunaga@harunaga.ru> Subject: patch for IPSEC_NAT_T X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: harunaga@harunaga.ru List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Jun 2008 10:09:05 -0000 Dear sirs! Sorry for my bad English! I ask to help me, if you have some spare time. I'm using the patch for support IPSEC NAT Traversal on FreeBSD 7.0.Will not work NAT-T with Windows XP in the real situation. #cd /usr/src/sys patch < patch-natt-freebsd7-2008-03-11.diff Kernel config (FreeBSD 7.0): options IPSEC options IPSEC_NAT_T device enc device crypto device cryptodev Racoon config: listen { isakmp 80.85.151.51 [500]; isakmp_natt 80.85.151.51 [4500]; } timer { natt_keepalive 10 sec; } remote anonymous { exchange_mode main; my_identifier asn1dn; certificate_type x509 "ipsec-server.crt" "ipsec-server.key"; peers_certfile "ipsec-client.crt"; passive on; generate_policy on; nat_traversal force; proposal_check obey; # obey, strict, or claim proposal { authentication_method rsasig; encryption_algorithm 3des; hash_algorithm sha1; dh_group 2; } } sainfo anonymous { pfs_group 2; lifetime time 10 min; encryption_algorithm 3des, rijndael; authentication_algorithm hmac_sha1; compression_algorithm deflate; } #ipfw show 00001 0 0 allow ip from any to any via enc0 65535 0 0 allow ip from any to any Configure and apply policies on the windows ipsec. A host with Windows XP has address 80.85.145.224. A host with FreeBSD has address 80.85.151.51. Ping FreeBSD on Windows XP and run tcpdump on FreeBSD. # tcpdump -npti fxp0 host 80.85.145.224 IP 80.85.145.224.500 > 80.85.151.51.500: isakmp: phase 1 I ident IP 80.85.151.51.500 > 80.85.145.224.500: isakmp: phase 1 R ident IP 80.85.145.224.500 > 80.85.151.51.500: isakmp: phase 1 I ident IP 80.85.151.51.500 > 80.85.145.224.500: isakmp: phase 1 R ident IP 80.85.145.224.4500 > 80.85.151.51.4500: NONESP-encap: isakmp: phase 1 I ident[E] IP 80.85.145.224 > 80.85.151.51: udp IP 80.85.151.51.4500 > 80.85.145.224.4500: NONESP-encap: isakmp: phase 1 R ident[E] IP 80.85.151.51.4500 > 80.85.145.224.4500: NONESP-encap: isakmp: phase 2/others R inf[E] IP 80.85.145.224.4500 > 80.85.151.51.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E] IP 80.85.151.51.4500 > 80.85.145.224.4500: NONESP-encap: isakmp: phase 2/others R oakley-quick[E] IP 80.85.145.224.4500 > 80.85.151.51.4500: UDP-encap: ESP(spi=0x00a13e8f,seq=0x1), length 76 IP 80.85.145.224.4500 > 80.85.151.51.4500: NONESP-encap: isakmp: phase 2/others I oakley-quick[E] IP 80.85.145.224.4500 > 80.85.151.51.4500: UDP-encap: ESP(spi=0x00a13e8f,seq=0x2), length 76 IP 80.85.151.51.4500 > 80.85.145.224.4500: UDP-encap: ESP(spi=0xa9d7fa75,seq=0x1), length 76 IP 80.85.151.51.4500 > 80.85.145.224.4500: isakmp-nat-keep-alive IP 80.85.145.224.4500 > 80.85.151.51.4500: UDP-encap: ESP(spi=0x00a13e8f,seq=0x3), length 76 IP 80.85.151.51.4500 > 80.85.145.224.4500: UDP-encap: ESP(spi=0xa9d7fa75,seq=0x2), length 76 IP 80.85.145.224.4500 > 80.85.151.51.4500: UDP-encap: ESP(spi=0x00a13e8f,seq=0x4), length 76 IP 80.85.151.51.4500 > 80.85.145.224.4500: UDP-encap: ESP(spi=0xa9d7fa75,seq=0x3), length 76 IP 80.85.151.51.4500 > 80.85.145.224.4500: isakmp-nat-keep-alive # tcpdump -npti enc0 (authentic,confidential): SPI 0x0786ecb5: IP 80.85.145.224 > 80.85.151.51: ICMP echo request, id 512, seq 4608, length 40 (authentic,confidential): SPI 0x60fa28ee: IP 80.85.151.51 > 80.85.145.224: ICMP echo reply, id 512, seq 4608, length 40 (authentic,confidential): SPI 0x0786ecb5: IP 80.85.145.224 > 80.85.151.51: ICMP echo request, id 512, seq 4864, length 40 (authentic,confidential): SPI 0x60fa28ee: IP 80.85.151.51 > 80.85.145.224: ICMP echo reply, id 512, seq 4864, length 40 (authentic,confidential): SPI 0x0786ecb5: IP 80.85.145.224 > 80.85.151.51: ICMP echo request, id 512, seq 5120, length 40 (authentic,confidential): SPI 0x60fa28ee: IP 80.85.151.51 > 80.85.145.224: ICMP echo reply, id 512, seq 5120, length 40 # /usr/local/sbin/setkey -D 80.85.151.51[4500] 80.85.145.224[4500] esp-udp mode=transport spi=1074885652(0x40117414) reqid=0(0x00000000) E: 3des-cbc 2753f418 16ae6b2d 7db165b1 78489da4 84c61b5c 74ba0eab A: hmac-sha1 8dbb660d 8d461664 db9f2576 b1c51494 24bc72f3 seq=0x00000001 replay=4 flags=0x00000000 state=mature created: Jun 25 22:33:08 2008 current: Jun 25 22:33:14 2008 diff: 6(s) hard: 900(s) soft: 900(s) last: Jun 25 22:33:09 2008 hard: 0(s) soft: 0(s) current: 96(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 1 hard: 0 soft: 0 sadb_seq=1 pid=9531 refcnt=2 80.85.145.224[4500] 80.85.151.51[4500] esp-udp mode=transport spi=145306844(0x08a934dc) reqid=0(0x00000000) E: 3des-cbc 236d1e55 e194f00c a18ed711 081baab3 2692c6f5 6607f06e A: hmac-sha1 74971750 35c1ed4a 7f435f86 b17a4195 7d1aee61 seq=0x00000001 replay=4 flags=0x00000000 state=mature created: Jun 25 22:33:08 2008 current: Jun 25 22:33:14 2008 diff: 6(s) hard: 900(s) soft: 900(s) last: Jun 25 22:33:09 2008 hard: 0(s) soft: 0(s) current: 60(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 1 hard: 0 soft: 0 sadb_seq=0 pid=9531 refcnt=1 # /usr/local/sbin/setkey -DP 80.85.145.224[any] 80.85.151.51[any] any in ipsec esp/transport//require spid=3366 seq=1 pid=9532 refcnt=1 80.85.151.51[any] 80.85.145.224[any] any out ipsec esp/transport//require spid=3367 seq=0 pid=9532 refcnt=1 All works, UDP and TCP traffic passes through IPSEC. Normal working L2TP over IPSEC. # /usr/local/sbin/setkey -DP 80.85.145.224[any] 80.85.151.51[1701] udp in ipsec esp/transport//require spid=3368 seq=1 pid=9606 refcnt=1 80.85.151.51[1701] 80.85.145.224[any] udp out ipsec esp/transport//require spid=3369 seq=0 pid=9606 refcnt=1 But when the host is placed over NAT, everything stops working. After negotiates IKE and key additions to the database SA traffic does not pass. "tcpdump enc0" shows that traffic is decoded normaly, but then he does not processed, packets discarded. Counters ipfw to rule 1 does not grow. At FreeBSD 6.2 I have the same problem (FAST_IPSEC or KAME IPSEC). How to fix it? I would be happy to answer any! -- Best regards, Harun Daniil