[Openswan Users] NAT-T + Openswan INFERNO !!

albert agusti aagusti at serialnet.net
Fri Oct 22 19:51:57 CEST 2004


Hello, 

I'm trying to deploy a net-to-net VPN using openswan 2.2.0 and two Linux
boxes running kernel 2.6 (so native Ipsec support is used). My problems
are multiple and I've done a lot of tests to discover whats doing me
crazy. Writting all here would be too mucho, so I'll try to ask only my
main headaches ;-) Thanks for reading

In mi case, I'm forced to use NAT-T support because both ends of the
desired tunnel are located after soho routers doing NAT:


---Net1----T1-----R1------------------------Internet-------------------R2---------T2----Net2
           
NAT                                                                          NAT

Routers R1 and R2 are form different vendors and I suspect one of them
is doing something nasty with Ipsec-passthrough because after setting up
correctly openswan in both ends, tunnel only comes up initiating from T1
and gets blocked forever in MainMode if I try to initiate from T2. When
initiation from T1 is done, Initiation from T2 in Quick mode gets up
with no problems.

Lets supose that this assymetric behaviour is not there.

1st big problem: When rekey time is reached, or tunnel goes down/up on
the remote end (restaring ipsec, entire host, or simulation
(delete+add+up), NEGOTIATION NEVER WORKS !! anybody can tell me why ?
ipsec barf shows lines similar to the next in a loop:

Oct 22 18:00:50 Glaurung pluto[3972]: packet from x.x.x.x:516: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Oct 22 18:00:50 Glaurung pluto[3972]: packet from x.x.x.x:516: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already
using method 108
Oct 22 18:00:50 Glaurung pluto[3972]: packet from x.x.x.x:516: received
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Oct 22 18:00:50 Glaurung pluto[3972]: packet from x.x.x.x:516: initial
Main Mode message received on 192.168.1.10:500 but no connection has
been authorized

The only way to recover the tunnel is totally rebuild it in both ends.
Obiously, this has no future.

After get tired of what seems problems in IKE+NAT+router magic, I
decided to build tunnel manually without using IKE at all.

QUESTION: How can it be done ? I've tried the options that comes with
Openswan2.2.0 (ipsec manual), but my great surprise is that ipsec manual
relies completelly over pseudo-interfaces like ipsec0 and they are not
there in kernel 2.6 !! Is this a reported BUG ? or a big TODO ;-)
I've setted up a tunnel playing with setkey with something like this:

#!/sbin/setkey -f
 
# Flush the SAD and SPD
flush;
spdflush;
 
# ESP SAs doing encryption using 192 bit long keys (168 + 24 parity)
# and authentication using 128 bit long keys
add 192.168.1.10 T1.T1.T1.T1 esp 0x201 -m tunnel -E 3des-cbc
0x7aeaca3f87d060a12f4a4487d5a5c3355920fae69a96c831 -A hmac-md5
0xc0291ff014dccdd03874d9e8e4cdf3e6;
 
add T2.T2.T2.T2 192.168.1.10 esp 0x301 -m tunnel -E 3des-cbc
0xf6ddb555acfd9d77b03ea3843f2653255afe8eb5573965df -A hmac-md5
0x96358c90783bbfa3d7b196ceabe0536b;
 
# Security policies
spdadd 192.168.1.10/32 10.10.0.0/16 any -P out ipsec
esp/tunnel/192.168.1.10-T1.T1.T1.T1/require;
 
spdadd 10.10.0.0/16 192.168.1.10/32 any -P in ipsec
esp/tunnel/T2.T2.T2.T2-192.168.1.10/require;

It works (chypers traffic), but IT DOES NOT ENCAPSULATE ESP in UDP
(NAT-T), so is totally useless for me :-(

THE BIG QUESTION:
Is possible to set up a tunnel suporting NAT on both ends ? and if true
(I hope), how can it be done WITHOUT IKE ? will it be possible on kernel
2.6 + Openswan 2.2.0 or a downgrade is needed ? any config example ?
some similar experience ?

Any help will be great !!!

Bye
Albert







-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20041022/584930ca/attachment.htm


More information about the Users mailing list