[Openswan Users] NAT traffic (contact_mark)

contact_mark at btopenworld.com contact_mark at btopenworld.com
Mon Mar 21 13:55:45 EDT 2011 

If sending NAT traffic over ipsec is considered mangling and in violation of
ipsec why am I able to SNAT ipsec traffic using Juniper or Cisco devices but
not on openswan?


-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
Behalf Of users-request at openswan.org
Sent: 20 March 2011 16:00
To: users at openswan.org
Subject: Users Digest, Vol 88, Issue 32

Send Users mailing list submissions to
	users at openswan.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://lists.openswan.org/mailman/listinfo/users
or, via email, send a message with subject or body 'help' to
	users-request at openswan.org

You can reach the person managing the list at
	users-owner at openswan.org

When replying, please edit your Subject line so it is more specific than
"Re: Contents of Users digest..."


Today's Topics:

   1. NAT traffic (contact_mark at btopenworld.com)
   2. Re: NAT traffic (Paul Wouters)
   3. Win7 -> linux - no connection found (Kamil Jo?ca )


----------------------------------------------------------------------

Message: 1
Date: Sat, 19 Mar 2011 23:45:55 -0000
From: <contact_mark at btopenworld.com>
Subject: [Openswan Users] NAT traffic
To: <users at openswan.org>
Message-ID: <000001cbe68f$cac5bee0$60513ca0$@btopenworld.com>
Content-Type: text/plain; charset="us-ascii"

I have been reading the config docs but they say something along the lines
of "Do not NAT traffic going over the tunnel".  Why is this?

 

Is it simply that it isn't an implemented feature or some other reason?

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.openswan.org/pipermail/users/attachments/20110319/184b7163/atta
chment-0001.html 

------------------------------

Message: 2
Date: Sun, 20 Mar 2011 00:40:39 -0400 (EDT)
From: Paul Wouters <paul at xelerance.com>
Subject: Re: [Openswan Users] NAT traffic
To: contact_mark at btopenworld.com
Cc: users at openswan.org
Message-ID: <alpine.LFD.1.10.1103200038380.3850 at newtla.xelerance.com>
Content-Type: TEXT/PLAIN; charset=UTF-8; format=flowed

On Sat, 19 Mar 2011, contact_mark at btopenworld.com wrote:

> I have been reading the config docs but they say something along the 
> lines of ?Do not NAT traffic going over the tunnel?.? Why is this?
> 
> Is it simply that it isn?t an implemented feature or some other reason?

Tunnels have security policies with source and dest address. If you change
any addresses those policies will be wrong.

Second, packets are encrypted. If you change them, the signatures are wrong
and the packets are dropped.

This is not a software implementaiton limitation. IPsec is a security
policy, and NAT breaks that. IPsec protects against network mangling, and
NAT is network mangling.

Paul


------------------------------

Message: 3
Date: Sun, 20 Mar 2011 09:27:25 +0100
From: kjonca at wp.pl (Kamil Jo?ca )
Subject: [Openswan Users] Win7 -> linux - no connection found
To: users at lists.openswan.org
Message-ID: <87wrjuw61e.fsf at alfa.kjonca>
Content-Type: text/plain; charset=iso-8859-2


It's my first try to use Openswan, and I would connect my win7 laptop to my
linux box. Unfortunately I always got " alfa pluto[8422]: | no connection
found "
I don't know if it is version issue (with debian is 2.6.28 shipped) my
ipsec.conf

--8<---------------cut here---------------start------------->8---
version 2.0   

config setup
     nat_traversal=yes
     uniqueids=no
conn %default
    compress=yes
    disablearrivalcheck=no
    authby=rsasig
    leftrsasigkey=%cert
    rightrsasigkey=%cert
    keyingtries=3

conn sslvpn
    type=tunnel
    left=%defaultroute
#    leftsendcert=ifasked
    leftsubnet=192.168.1.0/24
    leftid=%defaultroute
    leftcert=/etc/ipsec.d/certs/alfa.kjonca.1.pem
    dpdaction=clear
    pfs=yes
    right=%any
    rightsubnetwithin=0.0.0.0/0
	rightsubnet=vhost:%no,%priv 
    rightca=%same
    auto=add
	rekey=no
--8<---------------cut here---------------end--------------->8---


When I turn on plutodebug=all then I can see:
--8<---------------cut here---------------start------------->8---
2011-03-20T09:08:18.864823+01:00 alfa pluto[7727]: | find_host_connection2
called from ikev2parent_inI1outR1, me=85.222.105.11:500
him=213.158.217.117:4308 policy=IKEv2ALLOW
2011-03-20T09:08:18.864831+01:00 alfa pluto[7727]: | find_host_pair_conn
(find_host_connection2): 85.222.105.11:500 213.158.217.117:4308 -> hp:none
2011-03-20T09:08:18.864916+01:00 alfa pluto[7727]: | searching for
connection with policy = IKEv2ALLOW --8<---------------cut
here---------------end--------------->8---
But googling for "IKEv2ALLOW" didn't return any valuable results And some
logs:
--8<---------------cut here---------------start------------->8---
2011-03-20T09:25:02.064512+01:00 alfa pluto[11240]: Starting Pluto (Openswan
Version 2.6.28; Vendor ID OEQ{O\177nez{CQ) pid:11240
2011-03-20T09:25:02.064788+01:00 alfa pluto[11240]: SAref support
[disabled]: Protocol not available
2011-03-20T09:25:02.064991+01:00 alfa pluto[11240]: SAbind support
[disabled]: Protocol not available
2011-03-20T09:25:02.065195+01:00 alfa pluto[11240]: Setting NAT-Traversal
port-4500 floating to on
2011-03-20T09:25:02.065382+01:00 alfa pluto[11240]:    port floating
activation criteria nat_t=1/port_float=1
2011-03-20T09:25:02.065601+01:00 alfa pluto[11240]:    NAT-Traversal support
[enabled]
2011-03-20T09:25:02.065799+01:00 alfa pluto[11240]: using /dev/urandom as
source of random entropy
2011-03-20T09:25:02.066506+01:00 alfa pluto[11240]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
2011-03-20T09:25:02.066711+01:00 alfa pluto[11240]: ike_alg_register_enc():
Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
2011-03-20T09:25:02.066896+01:00 alfa pluto[11240]: ike_alg_register_enc():
Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
2011-03-20T09:25:02.067079+01:00 alfa pluto[11240]: ike_alg_register_enc():
Activating OAKLEY_AES_CBC: Ok (ret=0)
2011-03-20T09:25:02.069593+01:00 alfa pluto[11240]: ike_alg_register_enc():
Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
2011-03-20T09:25:02.069895+01:00 alfa pluto[11240]: ike_alg_register_hash():
Activating OAKLEY_SHA2_512: Ok (ret=0)
2011-03-20T09:25:02.070082+01:00 alfa pluto[11240]: ike_alg_register_hash():
Activating OAKLEY_SHA2_256: Ok (ret=0)
2011-03-20T09:25:02.070383+01:00 alfa pluto[11240]: starting up 1
cryptographic helpers
2011-03-20T09:25:02.070829+01:00 alfa pluto[11240]: started helper pid=11243
(fd:7)
2011-03-20T09:25:02.076109+01:00 alfa pluto[11240]: Kernel interface
auto-pick
2011-03-20T09:25:02.076482+01:00 alfa pluto[11240]: Using Linux 2.6 IPsec
interface code on 2.6.35.5+1 (experimental code)
2011-03-20T09:25:02.077103+01:00 alfa pluto[11243]: using /dev/urandom as
source of random entropy
2011-03-20T09:25:02.082896+01:00 alfa ipsec__plutorun: conn: "sslvpn"
warning dpd settings are ignored unless both dpdtimeout= and dpddelay= are
set
2011-03-20T09:25:02.221592+01:00 alfa pluto[11240]: ike_alg_register_enc():
Activating aes_ccm_8: Ok (ret=0)
2011-03-20T09:25:02.221618+01:00 alfa pluto[11240]: ike_alg_add(): ERROR:
Algorithm already exists
2011-03-20T09:25:02.221627+01:00 alfa pluto[11240]: ike_alg_register_enc():
Activating aes_ccm_12: FAILED (ret=-17)
2011-03-20T09:25:02.221635+01:00 alfa pluto[11240]: ike_alg_add(): ERROR:
Algorithm already exists
2011-03-20T09:25:02.221643+01:00 alfa pluto[11240]: ike_alg_register_enc():
Activating aes_ccm_16: FAILED (ret=-17)
2011-03-20T09:25:02.221651+01:00 alfa pluto[11240]: ike_alg_add(): ERROR:
Algorithm already exists
2011-03-20T09:25:02.221659+01:00 alfa pluto[11240]: ike_alg_register_enc():
Activating aes_gcm_8: FAILED (ret=-17)
2011-03-20T09:25:02.221667+01:00 alfa pluto[11240]: ike_alg_add(): ERROR:
Algorithm already exists
2011-03-20T09:25:02.221675+01:00 alfa pluto[11240]: ike_alg_register_enc():
Activating aes_gcm_12: FAILED (ret=-17)
2011-03-20T09:25:02.221683+01:00 alfa pluto[11240]: ike_alg_add(): ERROR:
Algorithm already exists
2011-03-20T09:25:02.221691+01:00 alfa pluto[11240]: ike_alg_register_enc():
Activating aes_gcm_16: FAILED (ret=-17)
2011-03-20T09:25:02.297494+01:00 alfa pluto[11240]: Changed path to
directory '/etc/ipsec.d/cacerts'
2011-03-20T09:25:02.297520+01:00 alfa pluto[11240]:   loaded CA cert file
'ca-kaczka.kjonca.pem' (1245 bytes)
2011-03-20T09:25:02.297528+01:00 alfa pluto[11240]: Changed path to
directory '/etc/ipsec.d/aacerts'
2011-03-20T09:25:02.297536+01:00 alfa pluto[11240]: Changed path to
directory '/etc/ipsec.d/ocspcerts'
2011-03-20T09:25:02.297543+01:00 alfa pluto[11240]: Changing to directory
'/etc/ipsec.d/crls'
2011-03-20T09:25:02.297550+01:00 alfa pluto[11240]:   loaded crl file
'ca-kaczka.kjonca.srl' (524 bytes)
2011-03-20T09:25:02.298112+01:00 alfa pluto[11240]: connection must specify
host IP address for our side
2011-03-20T09:25:02.298128+01:00 alfa ipsec__plutorun: 022 connection must
specify host IP address for our side
2011-03-20T09:25:02.298136+01:00 alfa pluto[11240]: attempt to load
incomplete connection
2011-03-20T09:25:02.298143+01:00 alfa ipsec__plutorun: 037 attempt to load
incomplete connection
2011-03-20T09:25:02.338391+01:00 alfa pluto[11240]: listening for IKE
messages
2011-03-20T09:25:02.338416+01:00 alfa pluto[11240]: NAT-Traversal: Trying
new style NAT-T
2011-03-20T09:25:02.348005+01:00 alfa pluto[11240]: NAT-Traversal:
ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
2011-03-20T09:25:02.348031+01:00 alfa pluto[11240]: NAT-Traversal: Trying
old style NAT-T
2011-03-20T09:25:02.348039+01:00 alfa pluto[11240]: adding interface lan/lan
192.168.200.200:500
2011-03-20T09:25:02.348046+01:00 alfa pluto[11240]: adding interface lan/lan
192.168.200.200:4500
2011-03-20T09:25:02.348052+01:00 alfa pluto[11240]: adding interface acn/acn
85.222.105.11:500
2011-03-20T09:25:02.348060+01:00 alfa pluto[11240]: adding interface acn/acn
85.222.105.11:4500
2011-03-20T09:25:02.348067+01:00 alfa pluto[11240]: adding interface lo/lo
127.0.0.1:500
2011-03-20T09:25:02.348074+01:00 alfa pluto[11240]: adding interface lo/lo
127.0.0.1:4500
2011-03-20T09:25:02.348081+01:00 alfa pluto[11240]: adding interface lo/lo
::1:500
2011-03-20T09:25:02.348088+01:00 alfa pluto[11240]: loading secrets from
"/etc/ipsec.secrets"
2011-03-20T09:25:02.348095+01:00 alfa pluto[11240]: no secrets filename
matched "/var/lib/openswan/ipsec.secrets.in"
2011-03-20T09:25:02.350174+01:00 alfa pluto[11240]:   loaded private key
file '/etc/ipsec.d/private/alfa.kjonca.1.key' (951 bytes)
2011-03-20T09:25:02.350200+01:00 alfa pluto[11240]: loaded private key for
keyid: PPK_RSA:AwEAAcQni
2011-03-20T09:25:02.350207+01:00 alfa ipsec__plutorun: 003 NAT-Traversal:
Trying new style NAT-T
2011-03-20T09:25:02.350215+01:00 alfa ipsec__plutorun: 003 NAT-Traversal:
ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
2011-03-20T09:25:02.350223+01:00 alfa ipsec__plutorun: 003 NAT-Traversal:
Trying old style NAT-T
2011-03-20T09:25:02.350231+01:00 alfa ipsec__plutorun: 003 no secrets
filename matched "/var/lib/openswan/ipsec.secrets.in"
--8<---------------cut here---------------end--------------->8---



--
http://sporothrix.wordpress.com/2011/01/16/usa-sie-krztusza-kto-nastepny/
Biologia poucza, ze je?li ci? co? ugryz?o, to niemal pewne, ze by?a to
samica.



------------------------------

_______________________________________________
Users mailing list
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users


End of Users Digest, Vol 88, Issue 32
*************************************

More information about the Users mailing list