From owner-freebsd-net@FreeBSD.ORG  Sun Sep 24 18:55:34 2006
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
X-Original-To: freebsd-net@freebsd.org
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id CA36716A416
	for <freebsd-net@freebsd.org>; Sun, 24 Sep 2006 18:55:34 +0000 (UTC)
	(envelope-from vanhu@zeninc.net)
Received: from leia.fdn.fr (ns0.fdn.org [80.67.169.12])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 316B243D53
	for <freebsd-net@freebsd.org>; Sun, 24 Sep 2006 18:55:33 +0000 (GMT)
	(envelope-from vanhu@zeninc.net)
Received: from smtp.zeninc.net (reverse-25.fdn.fr [80.67.176.25])
	by leia.fdn.fr (8.13.3/8.13.3/FDN) with ESMTP id k8OItVYG018382
	for <freebsd-net@freebsd.org>; Sun, 24 Sep 2006 20:55:32 +0200
Received: from jayce.zen.inc (jayce.zen.inc [192.168.1.7])
	by smtp.zeninc.net (smtpd) with ESMTP id CE2D43F17
	for <freebsd-net@freebsd.org>; Sun, 24 Sep 2006 20:55:25 +0200 (CEST)
Received: by jayce.zen.inc (Postfix, from userid 1000)
	id 3411E2E211; Sun, 24 Sep 2006 20:55:28 +0200 (CEST)
Date: Sun, 24 Sep 2006 20:55:27 +0200
From: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net>
To: freebsd-net@freebsd.org
Message-ID: <20060924185527.GA2230@jayce.zen.inc>
References: <20060914093034.A83805@gta.com>
	<20060924235353.3adaa23d.nork@FreeBSD.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20060924235353.3adaa23d.nork@FreeBSD.org>
User-Agent: All mail clients suck. This one just sucks less.
Subject: Re:  FAST_IPSEC NAT-T support
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Sep 2006 18:55:35 -0000

On Sun, Sep 24, 2006 at 11:53:53PM +0900, Norikatsu Shigemura wrote:
[....]

Hi.


> 	I'm testing IPSec NAT-T BETWEEN 6.2-PRERELEASE with freebsd6-
> 	ipsec-fastipsec-natt.diff + nokey.diff  AND  Windows XP like
> 	following environment:
> 
[.....]
> 
> 	I couldn't dial-up VPN from Windows XP by some reason.  And I
> 	don't know what's happen:-(.  Please teach me a hint!
> 
[....]
> 
> 	2. main mode with pre-shared key doesn't handle FQDN.
> 	   I don't know why Windows XP provides IPSECDOI_ID_FQDN.  But
> 	   ipsecdoi_checkid1 in ipsec_doi.c doesn't complete:-(.  So
> 	   I make a ad-hoc patch:-(.
> 
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> --- src/racoon/ipsec_doi.c.orig	Thu Feb  2 23:37:17 2006
> +++ src/racoon/ipsec_doi.c	Sun Sep 24 23:28:42 2006
> @@ -3277,10 +3277,9 @@
>  	    iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_PSKEY) {
>  		 if (id_b->type != IPSECDOI_ID_IPV4_ADDR
>  		  && id_b->type != IPSECDOI_ID_IPV6_ADDR) {
> -			plog(LLV_ERROR, LOCATION, NULL,
> +			plog(LLV_WARNING, LOCATION, NULL,
>  				"Expecting IP address type in main mode, "
>  				"but %s.\n", s_ipsecdoi_ident(id_b->type));
> -			return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
>  		}
>  	}

Main mode with Preshared key can only use Adresses as IDs, as
explained in RFC 2409....



> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> 
> 	3. I don't know why no communication between FreeBSD and Windows.
> 	   Between 23:02:18 and 23:02:53, Windows XP re-sent some packets.
> 	   But FreeBSD didn't response them.  So Windows XP gave up.
> 
> 
> /var/log/racoon.log
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[....]
> Sep 24 23:02:18 AAAA racoon: INFO: Adjusting my encmode UDP-Transport->Transport
> Sep 24 23:02:18 AAAA racoon: INFO: Adjusting peer's encmode UDP-Transport(61444)->Transport(2)

Warning: NAT-T support for transport mode is very partial, and won't
work for TCP sessions.

If you are trying to setup L2TP/IPSec sessions, it may work as L2TP
uses UDP.

[.....]
> Sep 24 23:02:18 AAAA racoon: INFO: IPsec-SA established: ESP/Transport 219.127.74.120[4500]->A.A.A.A[4500] spi=74428117(0x46faed5)
> Sep 24 23:02:18 AAAA racoon: phase2(quick): 1159106538.353179
> Sep 24 23:02:18 AAAA racoon: INFO: IPsec-SA established: ESP/Transport A.A.A.A[4500]->219.127.74.120[4500] spi=106731081(0x65c9649)
> Sep 24 23:02:18 AAAA racoon: ERROR: such policy does not already exist: "219.127.74.120/32[4500] A.A.A.A/32[1701] proto=udp dir=in"
> Sep 24 23:02:18 AAAA racoon: ERROR: such policy does not already exist: "A.A.A.A/32[1701] 219.127.74.120/32[4500] proto=udp dir=out"

Looks like the IPSec SAs are negociated.


> 	(sleep about 45sec)
> 
> Sep 24 23:02:53 AAAA racoon: alg_oakley_encdef_decrypt(3des klen=192 size=40): 0.000041
> Sep 24 23:02:53 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=20): 0.000029
> Sep 24 23:02:53 AAAA racoon: INFO: generated policy, deleting it.
> Sep 24 23:02:53 AAAA racoon: INFO: purged IPsec-SA proto_id=ESP spi=106731081.
> Sep 24 23:02:53 AAAA racoon: ERROR: pfkey X_SPDDELETE failed: Invalid argument
> Sep 24 23:02:53 AAAA racoon: ERROR: pfkey X_SPDDELETE failed: Invalid argument
> Sep 24 23:02:53 AAAA racoon: alg_oakley_encdef_decrypt(3des klen=192 size=56): 0.000034
> Sep 24 23:02:53 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=32): 0.000023
> Sep 24 23:02:53 AAAA racoon: INFO: purging ISAKMP-SA spi=fbb6e583624f6f16:dff5c9f16fb555d6.
> Sep 24 23:02:53 AAAA racoon: INFO: purged IPsec-SA spi=74428117.
> Sep 24 23:02:53 AAAA racoon: INFO: purged ISAKMP-SA spi=fbb6e583624f6f16:dff5c9f16fb555d6.
> Sep 24 23:02:54 AAAA racoon: INFO: ISAKMP-SA deleted A.A.A.A[4500]-219.127.74.120[4500] spi:fbb6e583624f6f16:dff5c9f16fb555d6
> Sep 24 23:02:54 AAAA racoon: INFO: KA remove: A.A.A.A[4500]->219.127.74.120[4500]

Ok.

I really guess you are using the VPN client shipped with Windows,
which will try to setup an L2TP session through the IPSec transport.

As you probably don't have an L2TP server on your FreeBSD side,
Windows gives up and probably sends a DELETE_SA.



Yvan.

-- 
NETASQ
http://www.netasq.com