[Openswan Users] Using NAT-T with 2.6 linux kernel

Sujithra P sujithrap at gmail.com
Tue Oct 7 01:16:49 EDT 2008 

Hi all,

I am testing the UDP-Encapsulated-ESP Tunnel mode IPSEC between IMS clieny
and the PCSCF. (3GPP TS 33.203)

 I am simulating the IMS UE using a SIP client that runs on linux and uses
NETKEY support to install and delete SAs.
The IMS Client is able to send a UDP encapsulated packet to PCSCF.
But the UDP encapsulated traffic from PCSCF is dropped by the kernel.

The following is the details of the setup and the setkey config on the linux
machine.
The SAs are installed using manual keying.

Linux Version: Linux ubuntu 2.6.24

# setkey -D
10.6.2.49[4500] 192.168.10.10[4500]
        esp-udp mode=tunnel spi=33589962(0x02008aca) reqid=3(0x00000003)
        E: 3des-cbc  343acfea 1a84fffd a2e62344 fe2032b1 343acfea 1a84fffd
        A: hmac-sha1  be65b76d 0abba80b 7fea2992 ca891792 00000000
        seq=0x00000000 replay=0 flags=0x00000000 state=mature
        created: Oct  2 15:57:46 2008   current: Oct  6 13:30:12 2008
        diff: 336746(s) hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=1 pid=7274 refcnt=0
10.6.2.49[4500] 192.168.10.10[4500]
        esp-udp mode=tunnel spi=16812490(0x010089ca) reqid=2(0x00000002)
        E: 3des-cbc  343acfea 1a84fffd a2e62344 fe2032b1 343acfea 1a84fffd
        A: hmac-sha1  be65b76d 0abba80b 7fea2992 ca891792 00000000
        seq=0x00000000 replay=0 flags=0x00000000 state=mature
        created: Oct  2 15:57:46 2008   current: Oct  6 13:30:12 2008
        diff: 336746(s) hard: 0(s)      soft: 0(s)
        last: Oct  2 15:57:46 2008      hard: 0(s)      soft: 0(s)
        current: 4328(bytes)    hard: 0(bytes)  soft: 0(bytes)
        allocated: 4    hard: 0 soft: 0
        sadb_seq=2 pid=7274 refcnt=0
192.168.10.10[4500] 10.6.2.49[4500]
        esp-udp mode=tunnel spi=23456789(0x0165ec15) reqid=0(0x00000000)
        E: 3des-cbc  343acfea 1a84fffd a2e62344 fe2032b1 343acfea 1a84fffd
        A: hmac-sha1  be65b76d 0abba80b 7fea2992 ca891792 00000000
        seq=0x00000000 replay=0 flags=0x00000000 state=mature
        created: Oct  2 15:57:46 2008   current: Oct  6 13:30:12 2008
        diff: 336746(s) hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=3 pid=7274 refcnt=0
192.168.10.10[4500] 10.6.2.49[4500]
        esp-udp mode=tunnel spi=12345678(0x00bc614e) reqid=0(0x00000000)
        E: 3des-cbc  343acfea 1a84fffd a2e62344 fe2032b1 343acfea 1a84fffd
        A: hmac-sha1  be65b76d 0abba80b 7fea2992 ca891792 00000000
        seq=0x00000000 replay=0 flags=0x00000000 state=mature
        created: Oct  2 15:57:46 2008   current: Oct  6 13:30:12 2008
        diff: 336746(s) hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=7274 refcnt=0

# setkey -DP
192.168.10.10[6070] 10.6.2.49[8000] any
        in ipsec
        esp/tunnel/192.168.10.10-10.6.2.49/require
        created: Oct  2 15:57:46 2008  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=17664 seq=1 pid=7275
        refcnt=1
192.168.10.10[5070] 10.6.2.49[7000] any
        in ipsec
        esp/tunnel/192.168.10.10-10.6.2.49/require
        created: Oct  2 15:57:46 2008  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=17672 seq=2 pid=7275
        refcnt=1
10.6.2.49[7000] 192.168.10.10[5070] any
        out ipsec
        esp/tunnel/10.6.2.49-192.168.10.10/unique:2
        created: Oct  2 15:57:46 2008  lastused: Oct  2 15:57:50 2008
        lifetime: 0(s) validtime: 0(s)
        spid=17649 seq=3 pid=7275
        refcnt=1
10.6.2.49[8000] 192.168.10.10[6070] any
        out ipsec
        esp/tunnel/10.6.2.49-192.168.10.10/unique:3
        created: Oct  2 15:57:46 2008  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=17657 seq=0 pid=7275
        refcnt=1

10.6.2.49 is the UE public IP address
192.168.10.10 is the PCSCF IP address

The UDP encapsulated packet from PCSCF to IMS Client is dropped by the
kernel

15:34:54.605608 IP 10.6.2.49.4500 > 192.168.10.10.4500: UDP-encap:
ESP(spi=0x010089ca,seq=0x1), length 1116
15:34:54.803321 IP 192.168.10.10.4500 > 10.6.2.49.4500: UDP-encap:
ESP(spi=0x00bc614e,seq=0x1), length 660
15:34:54.803340 IP 10.6.2.49 > 192.168.10.10: ICMP 10.6.2.49 udp port 4500
unreachable, length 556 <<< Kernel sends ICMP error.

Can any one tell me what could be the issue.
Any help on this is greatly appreciated.

Thanks,
Sujithra
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20081007/d5ff0a81/attachment-0001.html

More information about the Users mailing list