From owner-freebsd-net@FreeBSD.ORG Fri Jul 24 12:06:16 2009 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 046BF10656C3 for ; Fri, 24 Jul 2009 12:06:15 +0000 (UTC) (envelope-from if@xip.at) Received: from chile.gbit.at (ns1.xip.at [193.239.188.99]) by mx1.freebsd.org (Postfix) with ESMTP id 411308FC25 for ; Fri, 24 Jul 2009 12:06:14 +0000 (UTC) (envelope-from if@xip.at) Received: (qmail 15949 invoked from network); 24 Jul 2009 14:06:12 +0200 Received: from unknown (HELO filebunker.xip.at) (86.59.10.180) by chile.gbit.at with (DHE-RSA-AES256-SHA encrypted) SMTP; 24 Jul 2009 14:06:12 +0200 Date: Fri, 24 Jul 2009 14:06:11 +0200 (CEST) From: Ingo Flaschberger To: VANHULLEBUS Yvan In-Reply-To: <20090724082915.GA93467@zeninc.net> Message-ID: References: <20090724082915.GA93467@zeninc.net> User-Agent: Alpine 1.10 (LFD 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-net@freebsd.org Subject: Re: natt (again) in 7.2 stable and a forticlient X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 24 Jul 2009 12:06:20 -0000 Dear Yvan, >> I have tried to get natt at freebsd 7.2 stable with your patch >> http://people.freebsd.org/~vanhu/NAT-T/patch-natt-7.2-2009-05-12.diff >> and ipsec-tools 0.7.2 and 0.8-alpha20090525+natt running, >> but have no success. > > http://people.freebsd.org/~vanhu/NAT-T/patch-natt-7.2-2009-05-12.diff > will work with ipsec-tools 0.7.2 but NOT with 0.8-alpha20090525+natt. seems to work with both versions. >> negotiation works, but traffic from forticlient gives >> esp_input_cb: authentication hash mismatch for packet in SA x.x.x.x/009320d9 >> error. > > Strange.... does this work with the same forticlient but without NAT-T ? yes. >> Also there is no traffic seen incoming at the forticlient, but leaves the >> freebsd-box. > > Are you sure you don't have "something strange" on your network ? > For example an old an ugly "IKE proxy" which would tries to "fix" > traffic coming through UDP 500 ? > > Can you check what version of NAT-T is used by your forticlient ? "draft" If I use rfc-version of http://shrew.net/ ipsec-client (2.1.5-rc-2) nat-t works. > By default, ipsec-tools will announce support for RFC and drafts 00/01 > (we'll have to change that to only announce RFC by default). I will try that. > If forticlient announces/choices drafts 00/01, and if there is some > kind of IKE proxy on the way, it will probably just won't work (and > may explain authentication hashs mismatches....). I have tried that behind 2 different nat-gw (freebsd and linux) and there was definitley no ike proxy. .. If i use draft-version with http://shrew.net/ ipsec-client, I see valid incomming packets (icmp-pings), but ipsec-client tells that the icmp-ping return packets have a unknown phase1 sa. Kind regards, Ingo Flaschberger