From owner-freebsd-net@FreeBSD.ORG  Mon Sep 20 15:33:14 2010
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 8854E1065670
	for <freebsd-net@freebsd.org>; Mon, 20 Sep 2010 15:33:14 +0000 (UTC)
	(envelope-from wahjava@gmail.com)
Received: from mail-pz0-f54.google.com (mail-pz0-f54.google.com
	[209.85.210.54])
	by mx1.freebsd.org (Postfix) with ESMTP id 3C89E8FC12
	for <freebsd-net@freebsd.org>; Mon, 20 Sep 2010 15:33:13 +0000 (UTC)
Received: by pzk7 with SMTP id 7so1512216pzk.13
	for <freebsd-net@freebsd.org>; Mon, 20 Sep 2010 08:33:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma;
	h=domainkey-signature:received:received:sender:received:from:to
	:subject:organization:x-face:x-uptime:x-url:x-operating-system
	:x-openpgp-id:x-openpgp-fingerprint:x-mailer:x-mail-morse
	:x-attribution:organisation:date:message-id:user-agent:face
	:mime-version:content-type;
	bh=RADW/Jq08+H7brrBIO9aLxtlqi8vNoxDfaN3AK/DVF8=;
	b=Vv1KFanY1Lljy86hglDslEKicWB7dy+qHWY9oV3bWWoZ5z8T94T8btaOi7w5l0jIbm
	nBLeGWwQSoht8x9J8ZkEDzI3VVso9mcN54bqAMGAw68+bkqsGmkHBIJVxTGYXWZp6hMB
	tNxrx6yecSiycOxxiG+UM1t9ayG7dnmasb4tQ=
DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma;
	h=sender:from:to:subject:organization:x-face:x-uptime:x-url
	:x-operating-system:x-openpgp-id:x-openpgp-fingerprint:x-mailer
	:x-mail-morse:x-attribution:organisation:date:message-id:user-agent
	:face:mime-version:content-type;
	b=FvQlzXyNpfJHwJ0cUYnJIAgi0e2cpp2ITmPIIAMkiFjgyUd4YJwzc1X3bsgx7ZUc2n
	jO/64aMGS9tg0wC5v7EsvNtyZ/Yj8nP6L+IPkvGxeQS34gQb+DoPFI3lqdfHYp9/Cqg6
	VbYCqAEsELlodwnJewi2QLH12LgPTEjAGG2oo=
Received: by 10.142.253.18 with SMTP id a18mr7836659wfi.110.1284996793368;
	Mon, 20 Sep 2010 08:33:13 -0700 (PDT)
Received: from chateau.d.if ([122.161.226.208])
	by mx.google.com with ESMTPS id v6sm1342597wfg.15.2010.09.20.08.33.09
	(version=TLSv1/SSLv3 cipher=RC4-MD5);
	Mon, 20 Sep 2010 08:33:11 -0700 (PDT)
Sender: Ashish SHUKLA <wahjava@gmail.com>
Received: from chateau.d.if (chateau.d.if [IPv6:::1])
	by chateau.d.if (Postfix) with ESMTP id 44AEF4AED6
	for <freebsd-net@FreeBSD.org>; Mon, 20 Sep 2010 21:03:05 +0530 (IST)
From: ashish@FreeBSD.org (Ashish SHUKLA)
To: freebsd-net@FreeBSD.org
Organization: The FreeBSD Project
X-Face: )vGQ9yK7Y$Flebu1C>(B\gYBm)[$zfKM+p&TT[[JWl6:]S>cc$%-z7-`46Zf0B*syL.C]oCq[upTG~zuS0.$"_%)|Q@$hA=9{3l{%u^h3jJ^Zl;
	t7
X-Uptime: 8:43PM  up  5:40, 2 users, load averages: 0.14, 0.27, 0.15
X-URL: http://762e5e74.wordpress.com/
X-Operating-System: FreeBSD/FreeBSD 8.1-RELEASE/amd64
X-OpenPGP-ID: E74FA4B0
X-OpenPGP-Fingerprint: F682 CDCC 39DC 0FEA E116  20B6 C746 CFA9 E74F A4B0
X-Mailer: Gnus v5.13
X-Mail-Morse: .-- .- .... .--- .- ...- .- .--.-. --. -- .- .. .-.. .-.-.- -.-.
	--- --
X-Attribution: =?utf-8?B?4KSG4KS24KWA4KS3?=
Organisation: The FreeBSD Project
Date: Mon, 20 Sep 2010 21:03:00 +0530
Message-ID: <86ocbs5t1v.fsf@chateau.d.if>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.0.50 (amd64-portbld-freebsd8.1)
Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAJ1BMVEWpqal/f39tbW1jY2Md
	HR2goKCenp6UlJROTk7////9/f35+fnT09ORJdieAAACVklEQVQ4jXXUP2vbQBQA8AvUTkgz5OzY
	Z0iGWhpS6BSrkECn0mvx0MEJ6AjtYrfoBCVDlD8naJYmNlRfwZq8+mkKlIZaGpJSYmP7Q/XkJDrJ
	Td8i/H68u3vHPaPufwLdf32AMA4A6GcAgvAamY1pOJiDIFqicTwLswDhfr3uxfFtkAY/GFHPMwzD
	8zpnACmIOnE6js7rQb+v4NJrG9od0C+QgpHMy5jBewV+UDSMWiw1Y4fWfyV7+NGFzDsYa3pth9LJ
	Q4XvXxFHcJRvHOmygn5NAEabnDcQQguarnfoiwSCJ99jmKKcphsZONmWsDK9Ro7cvZOCtQdg8nje
	egLhc2LNlkLmsezzTFUUy5w18ocox/f0LaLgJy0zO75zk+9pp85GAj36xjqhdI0y3tq2m4dqqcWX
	zQWBTz8L1irvolXV4J+3q7eCDgVnttjNq6X8H+9KOZsuNk1uCzx8pSp+E9HImfJOTLdcGqo+YKnG
	EIovizkEn48V7BO+ch2DXcD4ENSpWiU+q8hjjbgTBZCXnZtyj0Ws4Q1Q0B2WXFtYZo65Bbyeeldw
	RS6qFueM80LlLA29YlVwGRYvFD+kwI/0O+A2PlpOP9GwslUVciHuYGechuBTp922YiDZCrghTknm
	XSyOM+D3aoRZlo0Jb42zY7DN4p2x4AeZ+QAYutx1sHwTHzMT5cMNduQ9yW3GczN4KZ86kb0c9O8T
	yXDeFqpl2fryPEAYGXIlezAPXYh2NgVr/gvdoHIuDwuPwOhcWE8f8mmICq41eATkn8x0kuRTIKcB
	wE9+/QUtiiAnYcaN7wAAAABJRU5ErkJggg==
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha512; protocol="application/pgp-signature"
Cc: 
Subject: IPsec + L2TP using racoon + mpd5
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Sep 2010 15:33:14 -0000

--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

Hi everyone,

Few weeks ago, I posted the problem of unable to use IPsec behind
NAT[1]. Thanks to the code in ipsec-tools CVS HEAD, IPSEC_NAT_T kernel opti=
on
and mpd5, I was able to use it, on the router and behind NAT without any
issues.

Few days ago, I lost the "behind NAT" configuration of this combo, and forg=
ot
to take backups :(. So, at present I can only use this combo without any
issues on router, but when inside NAT, it fails. This is the same box which
sometimes is used as router, and sometimes gets NATed.

When behind NAT, I can see that IPsec tunnel gets created, and I can see IP=
sec
ESP traffic flowing in/out over UDP port 4500. But L2TP tunnel never gets
realized, whereas when on router with this same mpd5 configuration, L2TP
tunnel gets created, just fine.

The server is running racoon + OpenL2TP on GNU/Linux using NETKEY
implementation. The other clients in the network including a GNU/Linux box =
and
a Windows box are able to connect to this L2TP/IPSec tunnel just fine, behi=
nd
NAT.

I'm wondering if anyone knows what I might be missing in the configurations
posted below:

1. racoon configuration.

#v+
# racoon-nat.conf

path certificate "/home/abbe/ipsec/ca";

log info;

listen {
	adminsock "/var/db/racoon/racoon.sock" "root" "operator" 0660;
}

remote XXX.XXX.XXX.XXX {
       exchange_mode main;
       my_identifier asn1dn;
       certificate_type x509 "user.pem" "user.key";
       proposal_check obey;
       verify_identifier on;
       verify_cert on;
       script "/home/user/ipsec/tunnel-up.sh" phase1_up;
       script "/home/user/ipsec/tunnel-down.sh" phase1_down;
       nat_traversal on;
       proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method rsasig;
		dh_group modp1024;
	}
}

sainfo anonymous {
        lifetime time 28800 sec;
	encryption_algorithm 3des;
	authentication_algorithm hmac_sha1;
	compression_algorithm deflate;
}
#v-

2. racoon tunnel-up script

#v+
#!/bin/sh
# tunnel-up.sh

/sbin/setkey -c <<EOF

flush;
spdflush;

# Make sure L2TP traffic goes over IPsec
spdadd ${LOCAL_ADDR}[0] ${REMOTE_ADDR}[1701] any
   -P out ipsec esp/transport//require ;
=20
spdadd ${REMOTE_ADDR}[1701] ${LOCAL_ADDR}[0] any
   -P in ipsec esp/transport//require ;
=20
# Required for NAT
spdadd ${LOCAL_ADDR}[0] ${REMOTE_ADDR}[4500] any
   -P out ipsec esp/transport//require ;
=20
spdadd ${REMOTE_ADDR}[4500] ${LOCAL_ADDR}[0] any
   -P in ipsec esp/transport//require ;

# Required for non-NAT
spdadd ${LOCAL_ADDR}[500] ${REMOTE_ADDR}[500] any
   -P out ipsec esp/transport//require ;
=20
spdadd ${REMOTE_ADDR}[500] ${LOCAL_ADDR}[500] any
   -P in ipsec esp/transport//require ;

EOF

exit 0
#v-

3. mpd5 script

#v+
default:
        load l2tp

l2tp:
        create bundle static l2tp
        create link static L2 l2tp
        set link action bundle l2tp
        set link keep-alive 10 60
        set link mtu 1460
        set l2tp peer XXX.XXX.XXX.XXX
        set auth authname user
        set link max-redial 0
        open
#v-

References:
[1]  http://www.mail-archive.com/freebsd-net@freebsd.org/msg34087.html

Thanks in advance.
=2D-=20
Ashish SHUKLA      | GPG: F682 CDCC 39DC 0FEA E116  20B6 C746 CFA9 E74F A4B0
freebsd.org!ashish | http://people.freebsd.org/~ashish/

Avoid Success At All Costs !!

--=-=-=
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (FreeBSD)

iQIcBAEBCgAGBQJMl36wAAoJEMdGz6nnT6SwZuEQAKxdpwuUePOhE9uJhVnYCv+G
etjb/d1fF4LIJyEUNT2vu62jKW/OBjo2cYD5YpYIbCwOt0bFcPNXFJteRVvK5wSD
PQHIF+mCLPMSFvZHgFRloFrBOJiTxHDSLktLw53SJQVMbKRiboj9X/fqjUrnsYvC
hOm1gc+kUaBxcElotY3Uy7oGY1ncwWzfLmiytJc63vJwrAOE/mHAaSRKBv07bGI1
p4bBzEVObsY6r/uFHxxLDQqSle424Z/R+5rIc8HK0aJFprBW3BNhN4HI33DRCPUc
b5koy5P9tSumTdBK+9mUCE0GttqPtQ32/ixhXi9lJtvyDrOWAtcrDaxCKZ657bnl
KF2luSxv+mC6YcCB3V0EyeKJCRpXWnbgcf96HawLxJZZRI0/Gscc60GPZvpOQgs+
qgdRLv7dAzGJB5tWQM+hOD3tYMKeRiJdCNbjmQJWtpw9hyq58mCEbbeGPWHUMRp0
boRkDjlMIzo37HShs7IyuObGp2YgfLEtfompuq3aY77R6vvY77AotE1L13p9hzk7
X1bdBcDtoUaJ3zTbfn8JVmDoATccBhFS7Tg3GjvVgwYNccsFo47SxKk5YqVQ7bRe
WWS2+35Wx+SjHSPmotDBrxDwumBUBig7g58N9LRS2Yp6KJLb+qRtk6U9O9VZR2qe
uleH5q3zbdoVOBx+jqn4
=s7aL
-----END PGP SIGNATURE-----
--=-=-=--