[Openswan Users] udp/4500 (NAT-T) blocking by my (common?) WLAN-Router (cont'd)

Andreas Kemper kem at comnets.rwth-aachen.de
Sat Oct 23 22:19:00 CEST 2004 

Hi,

> > I would like to switch to NAT-T mode, rather then using the
VPN-passthrough
> > mode of my SMC wireless router.
> > 
> > The background for this are problems handling transport mode 
> > ESP-packets from L2TP/IPsec in case these are transparently passing 
> > the NAT-device.
> > 
> > While sniffing a bit with ethereal, I found that the SMC blocks (at 
> > least outgoing) packets, as soon as encapsulation to udp/4500 is
enabled.
> 
> Are you sure? How did you check this? If this is true it
I started two parallel Ethereal sessions. One right on the OSW-GW, the other
on a second laptop, connected in parallel (via ethernet hub) to the Wintendo
client.
Taking a closer look at the trace (at end of the post), obviously the fifth
and following ISAKMP-packets (containing the certificate?!) is the first one
using udp/4500, rather then udp/50. It is transmitted multiple times, but
never arriving at the gateway.

> would be really malicious. What model SMC do you have?
SMC 2808 WBR (previously the 802.11b-only version, which seemed to have the
same problem)

> > Now I wonder, whether this behaviour is intended since the device does 
> > VPN-passthrough (or evtl. for some political reasons) and/or if it's
simply
> > a specific SMC bug?
> 
> You probably meant 'policy' instead of 'political' here :-).
Well, probably in case of having either a Linksys or Cisco router. ;-) At
least I was wondering, why the Cisco client uses udp/10000, instead of
udp/4500 for encapsulation...

> > Nevertheless, I thought about the simplest solution to probably change 
> > the default NAT-T port, for instance also to udp/10000. Even though 
> > this value seems to be hard-coded in "nat_traversal.h", I wonder
> > if clients (in particular Wintendo L2TP/Ipsec) would accept a 
> > different port during connection establishment??
> 
> Seems unlikely to me. But you could search the registry to 
> see if the port can be modified.
I just though about it, since at least Sentinel has some kind of port
selection option for NAT-T, even though I don't know if this is RFC-conform.

Andreas

PS: Sorry for breaking the thread - last mail got lost.

>>>>>>>>>>>>>>>

Frame 1 (286 bytes on wire, 286 bytes captured)
Ethernet II, Src: 00:09:6b:fa:bb:b1, Dst: 00:04:e2:b9:fe:6c
Internet Protocol, Src Addr: 192.168.2.5 (192.168.2.5), Dst Addr: a.b.c.d
(a.b.c.d)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Internet Security Association and Key Management Protocol

Frame 2 (146 bytes on wire, 146 bytes captured)
Ethernet II, Src: 00:04:e2:b9:fe:6c, Dst: 00:09:6b:fa:bb:b1
Internet Protocol, Src Addr: a.b.c.d (a.b.c.d), Dst Addr: 192.168.2.5
(192.168.2.5)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Internet Security Association and Key Management Protocol

Frame 3 (267 bytes on wire, 267 bytes captured)
Ethernet II, Src: 00:09:6b:fa:bb:b1, Dst: 00:04:e2:b9:fe:6c
Internet Protocol, Src Addr: 192.168.2.5 (192.168.2.5), Dst Addr: a.b.c.d
(a.b.c.d)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Internet Security Association and Key Management Protocol

Frame 4 (270 bytes on wire, 270 bytes captured)
Ethernet II, Src: 00:04:e2:b9:fe:6c, Dst: 00:09:6b:fa:bb:b1
Internet Protocol, Src Addr: a.b.c.d (a.b.c.d), Dst Addr: 192.168.2.5
(192.168.2.5)
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Internet Security Association and Key Management Protocol

Frame 5 (1050 bytes on wire, 1050 bytes captured)
Ethernet II, Src: 00:09:6b:fa:bb:b1, Dst: 00:04:e2:b9:fe:6c
Internet Protocol, Src Addr: 192.168.2.5 (192.168.2.5), Dst Addr: a.b.c.d
(a.b.c.d)
User Datagram Protocol, Src Port: 4500 (4500), Dst Port: 4500 (4500)
UDP Encapsulation of IPsec Packets
Internet Security Association and Key Management Protocol

Frame 6 (1050 bytes on wire, 1050 bytes captured)
Ethernet II, Src: 00:09:6b:fa:bb:b1, Dst: 00:04:e2:b9:fe:6c
Internet Protocol, Src Addr: 192.168.2.5 (192.168.2.5), Dst Addr: a.b.c.d
(a.b.c.d)
User Datagram Protocol, Src Port: 4500 (4500), Dst Port: 4500 (4500)
UDP Encapsulation of IPsec Packets
Internet Security Association and Key Management Protocol

Frame 7 (1050 bytes on wire, 1050 bytes captured)
Ethernet II, Src: 00:09:6b:fa:bb:b1, Dst: 00:04:e2:b9:fe:6c
Internet Protocol, Src Addr: 192.168.2.5 (192.168.2.5), Dst Addr: a.b.c.d
(a.b.c.d)
User Datagram Protocol, Src Port: 4500 (4500), Dst Port: 4500 (4500)
UDP Encapsulation of IPsec Packets
Internet Security Association and Key Management Protocol

Frame 8 (1050 bytes on wire, 1050 bytes captured)
Ethernet II, Src: 00:09:6b:fa:bb:b1, Dst: 00:04:e2:b9:fe:6c
Internet Protocol, Src Addr: 192.168.2.5 (192.168.2.5), Dst Addr: a.b.c.d
(a.b.c.d)
User Datagram Protocol, Src Port: 4500 (4500), Dst Port: 4500 (4500)
UDP Encapsulation of IPsec Packets
Internet Security Association and Key Management Protocol

More information about the Users mailing list