Date: Mon, 20 Sep 2010 21:03:00 +0530 From: ashish@FreeBSD.org (Ashish SHUKLA) To: freebsd-net@FreeBSD.org Subject: IPsec + L2TP using racoon + mpd5 Message-ID: <86ocbs5t1v.fsf@chateau.d.if>
next in thread | raw e-mail | index | archive | help
--=-=-= Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi everyone, Few weeks ago, I posted the problem of unable to use IPsec behind NAT[1]. Thanks to the code in ipsec-tools CVS HEAD, IPSEC_NAT_T kernel opti= on and mpd5, I was able to use it, on the router and behind NAT without any issues. Few days ago, I lost the "behind NAT" configuration of this combo, and forg= ot to take backups :(. So, at present I can only use this combo without any issues on router, but when inside NAT, it fails. This is the same box which sometimes is used as router, and sometimes gets NATed. When behind NAT, I can see that IPsec tunnel gets created, and I can see IP= sec ESP traffic flowing in/out over UDP port 4500. But L2TP tunnel never gets realized, whereas when on router with this same mpd5 configuration, L2TP tunnel gets created, just fine. The server is running racoon + OpenL2TP on GNU/Linux using NETKEY implementation. The other clients in the network including a GNU/Linux box = and a Windows box are able to connect to this L2TP/IPSec tunnel just fine, behi= nd NAT. I'm wondering if anyone knows what I might be missing in the configurations posted below: 1. racoon configuration. #v+ # racoon-nat.conf path certificate "/home/abbe/ipsec/ca"; log info; listen { adminsock "/var/db/racoon/racoon.sock" "root" "operator" 0660; } remote XXX.XXX.XXX.XXX { exchange_mode main; my_identifier asn1dn; certificate_type x509 "user.pem" "user.key"; proposal_check obey; verify_identifier on; verify_cert on; script "/home/user/ipsec/tunnel-up.sh" phase1_up; script "/home/user/ipsec/tunnel-down.sh" phase1_down; nat_traversal on; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method rsasig; dh_group modp1024; } } sainfo anonymous { lifetime time 28800 sec; encryption_algorithm 3des; authentication_algorithm hmac_sha1; compression_algorithm deflate; } #v- 2. racoon tunnel-up script #v+ #!/bin/sh # tunnel-up.sh /sbin/setkey -c <<EOF flush; spdflush; # Make sure L2TP traffic goes over IPsec spdadd ${LOCAL_ADDR}[0] ${REMOTE_ADDR}[1701] any -P out ipsec esp/transport//require ; =20 spdadd ${REMOTE_ADDR}[1701] ${LOCAL_ADDR}[0] any -P in ipsec esp/transport//require ; =20 # Required for NAT spdadd ${LOCAL_ADDR}[0] ${REMOTE_ADDR}[4500] any -P out ipsec esp/transport//require ; =20 spdadd ${REMOTE_ADDR}[4500] ${LOCAL_ADDR}[0] any -P in ipsec esp/transport//require ; # Required for non-NAT spdadd ${LOCAL_ADDR}[500] ${REMOTE_ADDR}[500] any -P out ipsec esp/transport//require ; =20 spdadd ${REMOTE_ADDR}[500] ${LOCAL_ADDR}[500] any -P in ipsec esp/transport//require ; EOF exit 0 #v- 3. mpd5 script #v+ default: load l2tp l2tp: create bundle static l2tp create link static L2 l2tp set link action bundle l2tp set link keep-alive 10 60 set link mtu 1460 set l2tp peer XXX.XXX.XXX.XXX set auth authname user set link max-redial 0 open #v- References: [1] http://www.mail-archive.com/freebsd-net@freebsd.org/msg34087.html Thanks in advance. =2D-=20 Ashish SHUKLA | GPG: F682 CDCC 39DC 0FEA E116 20B6 C746 CFA9 E74F A4B0 freebsd.org!ashish | http://people.freebsd.org/~ashish/ Avoid Success At All Costs !! --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (FreeBSD) iQIcBAEBCgAGBQJMl36wAAoJEMdGz6nnT6SwZuEQAKxdpwuUePOhE9uJhVnYCv+G etjb/d1fF4LIJyEUNT2vu62jKW/OBjo2cYD5YpYIbCwOt0bFcPNXFJteRVvK5wSD PQHIF+mCLPMSFvZHgFRloFrBOJiTxHDSLktLw53SJQVMbKRiboj9X/fqjUrnsYvC hOm1gc+kUaBxcElotY3Uy7oGY1ncwWzfLmiytJc63vJwrAOE/mHAaSRKBv07bGI1 p4bBzEVObsY6r/uFHxxLDQqSle424Z/R+5rIc8HK0aJFprBW3BNhN4HI33DRCPUc b5koy5P9tSumTdBK+9mUCE0GttqPtQ32/ixhXi9lJtvyDrOWAtcrDaxCKZ657bnl KF2luSxv+mC6YcCB3V0EyeKJCRpXWnbgcf96HawLxJZZRI0/Gscc60GPZvpOQgs+ qgdRLv7dAzGJB5tWQM+hOD3tYMKeRiJdCNbjmQJWtpw9hyq58mCEbbeGPWHUMRp0 boRkDjlMIzo37HShs7IyuObGp2YgfLEtfompuq3aY77R6vvY77AotE1L13p9hzk7 X1bdBcDtoUaJ3zTbfn8JVmDoATccBhFS7Tg3GjvVgwYNccsFo47SxKk5YqVQ7bRe WWS2+35Wx+SjHSPmotDBrxDwumBUBig7g58N9LRS2Yp6KJLb+qRtk6U9O9VZR2qe uleH5q3zbdoVOBx+jqn4 =s7aL -----END PGP SIGNATURE----- --=-=-=--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86ocbs5t1v.fsf>