[Openswan Users] NAT-T broken with Netscreen

Jacco de Leeuw jacco2 at dds.nl
Tue Dec 6 20:20:35 CET 2005 

Sean wrote:

>It looks like OpenSWAN isn't recognizing draft-ietf-ipsec-nat-t-ike-02 
>Vendor ID/payload sent by the Netscreen and/or vice versa. I've confirmed 
>this is the case with the latest version of OpenSWAN.
>
>linux:~ # ipsec auto --up dmz
>003 "dmz" #1: NAT-Traversal: Result using 
>draft-ietf-ipsec-nat-t-ike-00/01: i am NATed

Oops, they negotiate a very old NAT-T draft. That is a pity.

>While researching the same problem with VPN Tracker clients to a 
>Netscreen, Juniper said this was the problem:
>
>"Some vendors use the MD5 hash value in the draft, while others use the 
>vendor id string, and do the hash in the code.

Yes, this is a well-known problem in the specs:
http://www.vpnc.org/ietf-ipsec/02.ipsec/msg01150.html

>Because VPNTracker is using the vendor id string, instead of the MD5 hash, 
>ScreenOS is not recognizing this is a draft-02 NAT-T implementation."

I can't comment on whether the problem you are having with Openswan is
the same as with VPNTracker but Juniper could have chosen to support
_both_ MD5 hashes, just like Openswan. Now you are left in the cold.
Even better would have been support for the official RFC 3947, which
has been out for almost a year now.

>What format is OpenSwan sending draft-ietf-ipsec-nat-t-ike-02 to peers?

As a responder Openswan accepts both hashes but as an initiator it sends
only the hash without the extra "\n", as you have found out. I am not sure
if there is a particular reason behind this, but if you would like to
experiment then you can try the following simple patch.

BTW, Windows 2003 Server is another implementation that only responds
to MD5 hashes with the extra "\n". So the patch can be used for that
purpose as well. But then there is another problem:
http://lists.openswan.org/pipermail/users/2005-March/004292.html
Perhaps we should move this discussion to the developers mailinglist
so that the Openswan team can examine these issues?

Jacco
-- 
Jacco de Leeuw                         mailto:jacco2 at dds.nl
Zaandam, The Netherlands           http://www.jacco2.dds.nl
                     Mosquitos suck
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openswan-NAT-draft-02_n.patch
Type: text/x-patch
Size: 487 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20051206/270e74e5/openswan-NAT-draft-02_n.bin

More information about the Users mailing list