Date: Sun, 24 Sep 2006 20:55:27 +0200 From: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net> To: freebsd-net@freebsd.org Subject: Re: FAST_IPSEC NAT-T support Message-ID: <20060924185527.GA2230@jayce.zen.inc> In-Reply-To: <20060924235353.3adaa23d.nork@FreeBSD.org> References: <20060914093034.A83805@gta.com> <20060924235353.3adaa23d.nork@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Sep 24, 2006 at 11:53:53PM +0900, Norikatsu Shigemura wrote:
[....]
Hi.
> I'm testing IPSec NAT-T BETWEEN 6.2-PRERELEASE with freebsd6-
> ipsec-fastipsec-natt.diff + nokey.diff AND Windows XP like
> following environment:
>
[.....]
>
> I couldn't dial-up VPN from Windows XP by some reason. And I
> don't know what's happen:-(. Please teach me a hint!
>
[....]
>
> 2. main mode with pre-shared key doesn't handle FQDN.
> I don't know why Windows XP provides IPSECDOI_ID_FQDN. But
> ipsecdoi_checkid1 in ipsec_doi.c doesn't complete:-(. So
> I make a ad-hoc patch:-(.
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> --- src/racoon/ipsec_doi.c.orig Thu Feb 2 23:37:17 2006
> +++ src/racoon/ipsec_doi.c Sun Sep 24 23:28:42 2006
> @@ -3277,10 +3277,9 @@
> iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_PSKEY) {
> if (id_b->type != IPSECDOI_ID_IPV4_ADDR
> && id_b->type != IPSECDOI_ID_IPV6_ADDR) {
> - plog(LLV_ERROR, LOCATION, NULL,
> + plog(LLV_WARNING, LOCATION, NULL,
> "Expecting IP address type in main mode, "
> "but %s.\n", s_ipsecdoi_ident(id_b->type));
> - return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
> }
> }
Main mode with Preshared key can only use Adresses as IDs, as
explained in RFC 2409....
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
> 3. I don't know why no communication between FreeBSD and Windows.
> Between 23:02:18 and 23:02:53, Windows XP re-sent some packets.
> But FreeBSD didn't response them. So Windows XP gave up.
>
>
> /var/log/racoon.log
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[....]
> Sep 24 23:02:18 AAAA racoon: INFO: Adjusting my encmode UDP-Transport->Transport
> Sep 24 23:02:18 AAAA racoon: INFO: Adjusting peer's encmode UDP-Transport(61444)->Transport(2)
Warning: NAT-T support for transport mode is very partial, and won't
work for TCP sessions.
If you are trying to setup L2TP/IPSec sessions, it may work as L2TP
uses UDP.
[.....]
> Sep 24 23:02:18 AAAA racoon: INFO: IPsec-SA established: ESP/Transport 219.127.74.120[4500]->A.A.A.A[4500] spi=74428117(0x46faed5)
> Sep 24 23:02:18 AAAA racoon: phase2(quick): 1159106538.353179
> Sep 24 23:02:18 AAAA racoon: INFO: IPsec-SA established: ESP/Transport A.A.A.A[4500]->219.127.74.120[4500] spi=106731081(0x65c9649)
> Sep 24 23:02:18 AAAA racoon: ERROR: such policy does not already exist: "219.127.74.120/32[4500] A.A.A.A/32[1701] proto=udp dir=in"
> Sep 24 23:02:18 AAAA racoon: ERROR: such policy does not already exist: "A.A.A.A/32[1701] 219.127.74.120/32[4500] proto=udp dir=out"
Looks like the IPSec SAs are negociated.
> (sleep about 45sec)
>
> Sep 24 23:02:53 AAAA racoon: alg_oakley_encdef_decrypt(3des klen=192 size=40): 0.000041
> Sep 24 23:02:53 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=20): 0.000029
> Sep 24 23:02:53 AAAA racoon: INFO: generated policy, deleting it.
> Sep 24 23:02:53 AAAA racoon: INFO: purged IPsec-SA proto_id=ESP spi=106731081.
> Sep 24 23:02:53 AAAA racoon: ERROR: pfkey X_SPDDELETE failed: Invalid argument
> Sep 24 23:02:53 AAAA racoon: ERROR: pfkey X_SPDDELETE failed: Invalid argument
> Sep 24 23:02:53 AAAA racoon: alg_oakley_encdef_decrypt(3des klen=192 size=56): 0.000034
> Sep 24 23:02:53 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=32): 0.000023
> Sep 24 23:02:53 AAAA racoon: INFO: purging ISAKMP-SA spi=fbb6e583624f6f16:dff5c9f16fb555d6.
> Sep 24 23:02:53 AAAA racoon: INFO: purged IPsec-SA spi=74428117.
> Sep 24 23:02:53 AAAA racoon: INFO: purged ISAKMP-SA spi=fbb6e583624f6f16:dff5c9f16fb555d6.
> Sep 24 23:02:54 AAAA racoon: INFO: ISAKMP-SA deleted A.A.A.A[4500]-219.127.74.120[4500] spi:fbb6e583624f6f16:dff5c9f16fb555d6
> Sep 24 23:02:54 AAAA racoon: INFO: KA remove: A.A.A.A[4500]->219.127.74.120[4500]
Ok.
I really guess you are using the VPN client shipped with Windows,
which will try to setup an L2TP session through the IPSec transport.
As you probably don't have an L2TP server on your FreeBSD side,
Windows gives up and probably sends a DELETE_SA.
Yvan.
--
NETASQ
http://www.netasq.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20060924185527.GA2230>