[Openswan Users] L2TP/IPSEC response unencrypted (was openswan-2.6.24rc1 NATed MacOS Kernel crash)

David McCullough David_Mccullough at securecomputing.com
Mon Oct 26 19:55:49 EDT 2009 

Jivin Paul Wouters lays it down ...
> On Mon, 26 Oct 2009, Giovani Moda wrote:
> 
> >> Will do some more tests later on and let you know.
> >
> > Confirmed, I'm getting unencrypted server-to-client responses on
> > external interface (eth0) when using KLIPS with NAT-T. Is this still
> > #1004? The client is a XP SP2 box, connecting though linux doing NAT.
> > Here are the logs:
> 
> Can you check if there is a host route into the ipsecX device just after
> the tunnel establishe, but before you receive the delete request from
> the client?
> 
> This would suggest either a misconfiguration of the nexthop settings, or
> a but in the _updown.klips script.

My guess is that Giovani is seeing what I am seeing.  I did mention that the
#1004 fix looke like it broken windows NAT ;-)

KLIPS does NAT-OA when talking to NAT'd windows L2TP clients.  This means
the packets get fixed up to have the original pre-NAT address when they
are sent to the L2TP server.  Because this will not match the tunnels SA's
when the L2TP server responds the packets go out the WAN and not into ipsec.

I have patches here to fix all this but I need feedback on how correct they
are because I don't understand a lot of the decisions that went into all
this code :-)

Patches attached.  With this I can run windows XP L2TP (NAT and non-NAT)
and iphone L2TP with NAT and have them work.  I have comments the 2 changes
with a lot of detail for anyone who wants to understand why the change
works.  Just becaus it works doesn't mean it correct :-)

The solution for windows is better IMO than the iphone because it negotiates
NAT-OA,  we can have multiple clients behind the same NAT gateway :-)

I would like to know why we cannot/shouldn't do something similar for
iphone/OSX and non-NAT-OA tunnels,  since we have all the information
available for the NAT end points.

Anyway,  feedback appreciated :-)

Cheers,
Davidm

-- 
David McCullough,  david_mccullough at securecomputing.com,  Ph:+61 734352815
McAfee - SnapGear  http://www.snapgear.com                http://www.uCdot.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: win-l2tp.patch
Type: text/x-diff
Size: 2839 bytes
Desc: not available
Url : http://lists.openswan.org/pipermail/users/attachments/20091027/0339aff1/attachment.bin

More information about the Users mailing list