[Openswan Users] Debian openswan Nat-t problem (ESP packets)

Marco Perrando perr at com.dist.unige.it
Fri Sep 3 11:46:51 CEST 2004 

It's not the case.
All this follows a discussion of some days ago.
http://lists.openswan.org/pipermail/users/2004-August/002049.html

I did not make myself clear.

the two packets I attached to my message are BOTH captured at the 
server side AFTER that the router did its NAT.

No one changed the SPI number:
The only differnce in the two packets is the protocol number of IP 
heder (UDP and ESP).

Internet-----+----|Linux box openswan|
              |
              +----|Capturibg box     |

Then the packet is the SAME but if captured on the wire it is correctly 
written, if caotured inside the linux box with openswan (i.e. at ath0) 
it is altered.

This is my hypotesis:
- openswan software recognize it as un UDP encapsulated packet with ESP 
payload
- it wants to de-encapsulate it.
- it changes the UDP protocol number into ESP protocol number
- it forgets to strip out the eight bytes that belong to the UDP packet 
and that do not belong to the ESP

Actually after the eigth bytes of UDP header + UDP encapsulation 
payload, the bytes are those of the ESP packet with the correct SPI 
number.
I think that everything would correctly work if those 8 bytes were 
stripped out of the packet.

I took a look at draft-ietf-ipsec-udp-encaps-09.txt.

IMHO step 2 of de-encapsulation is taken incorrectly.

Marco.

==== draft-ietf-ipsec-udp-encaps-09.txt ====

3.2  Transport Mode ESP Encapsulation

                  BEFORE APPLYING ESP/UDP
             ----------------------------
       IPv4  |orig IP hdr  |     |      |
             |(any options)| TCP | Data |
             ----------------------------

                  AFTER APPLYING ESP/UDP
             -------------------------------------------------------
       IPv4  |orig IP hdr  | UDP | ESP |     |      |   ESP   | ESP|
             |(any options)| Hdr | Hdr | TCP | Data | Trailer |Auth|
             -------------------------------------------------------
                                       |<----- encrypted ---->|
                                 |<------ authenticated ----->|

    1.  Ordinary ESP encapsulation procedure is used.
    2.  A properly formatted UDP header is inserted where shown.
    3.  The Total Length, Protocol and Header Checksum (for IPv4) fields
        in the IP header are edited to match the resulting IP packet.

3.3  Transport Mode ESP Decapsulation

    1.  The UDP header is removed from the packet.
    2.  The Total Length, Protocol and Header Checksum (for IPv4) fields
        in the new IP header are edited to match the resulting IP packet.
    3.  Ordinary ESP decapsulation procedure is used.
    4.  Transport mode decapsulation NAT procedure is used.

More information about the Users mailing list