FAST_IPSEC NAT-T support
Norikatsu Shigemura
nork at FreeBSD.org
Sun Sep 24 07:54:02 PDT 2006
On Thu, 14 Sep 2006 09:30:34 -0400
Larry Baird <lab at gta.com> wrote:
> Please find attached two patches for adding FAST_IPSEC NAT-T support to
> FreeBSD 6.x. The patch "freebsd6-fastipsec-natt.diff" is dependent
> upon Yvan's IPSEC NAT-T patch "freebsd6-natt.diff" which can be found at
> http://ipsec-tools.cvs.sourceforge.net/ipsec-tools/htdocs/. The second
> patch "freebsd6-ipsec-fastipsec-natt.diff" is a cumulative patch
> combining both patches together.
Thanks for your great works!
I'm testing IPSec NAT-T BETWEEN 6.2-PRERELEASE with freebsd6-
ipsec-fastipsec-natt.diff + nokey.diff AND Windows XP like
following environment:
The Internet
-------------+----------------------------------+---------------
| ipfw but throw | no firewall
| | no ipfw
| |
WAN | 219.127.74.120 WAN | A.A.A.A
+------------+-------------+ +--------------+--------------+
| FreeBSD 4-stable NAT BOX | |FreeBSD 6-stable IPSec Router|
+------------+-------------+ +-----------------------------+
LAN | 192.168.36.1
|
| 192.168.36.6
+------------+-------------+
| Windows XP Professional |
+--------------------------+
kernel configuration:
options FAST_IPSEC
options IPSEC_NAT_T
And already
make buildworld buildkernel && make installworld installkernel && shutdown -r now
# uname -a
FreeBSD AAAA 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #54: Sun Sep 24 22:41:00 JST 2006 root at AAAA:/usr/obj/usr/src/sys/AAAA i386
# pkg_info | grep ipsec
ipsec-tools-0.6.6 KAME racoon IKE daemon, ipsec-tools version
(some customized version:-)
# cat /var/db/ports/ipsec-tools/options
# This file is auto-generated by 'make config'.
# No user-servicable parts inside!
# Options for ipsec-tools-0.6.6
_OPTIONS_READ=ipsec-tools-0.6.6
WITHOUT_DEBUG=true
WITH_IPV6=true
WITH_ADMINPORT=true
WITH_STATS=true
WITH_DPD=true
WITH_NATT=true
WITH_FRAG=true
WITHOUT_HYBRID=true
WITHOUT_PAM=true
WITHOUT_GSSAPI=true
WITHOUT_RADIUS=true
WITHOUT_SAUNSPEC=true
WITHOUT_RC5=true
WITHOUT_IDEA=true
I couldn't dial-up VPN from Windows XP by some reason. And I
don't know what's happen:-(. Please teach me a hint!
1. Windows XP didn't provide any identifier.
racoon will handle only REMOTE-IP. But Windows machines
cannot dial-up VPN anywhere:-(. So I make a quite ad-hoc
patch. Do you have any idea?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
--- src/racoon/oakley.c.orig Tue Oct 4 18:54:27 2005
+++ src/racoon/oakley.c Sun Sep 24 18:45:33 2006
@@ -2383,8 +2383,11 @@
*/
iph1->authstr = getpskbyaddr(iph1->remote);
if (iph1->authstr == NULL) {
+ iph1->authstr = privsep_getpsk("(*dialup*)", 10);
+ }
+ if (iph1->authstr == NULL) {
plog(LLV_ERROR, LOCATION, iph1->remote,
- "couldn't find the pskey for %s.\n",
+ "couldn't find the pskey for %s or '(*dialup*)'.\n",
saddrwop2str(iph1->remote));
goto end;
}
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2. main mode with pre-shared key doesn't handle FQDN.
I don't know why Windows XP provides IPSECDOI_ID_FQDN. But
ipsecdoi_checkid1 in ipsec_doi.c doesn't complete:-(. So
I make a ad-hoc patch:-(.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
--- src/racoon/ipsec_doi.c.orig Thu Feb 2 23:37:17 2006
+++ src/racoon/ipsec_doi.c Sun Sep 24 23:28:42 2006
@@ -3277,10 +3277,9 @@
iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_PSKEY) {
if (id_b->type != IPSECDOI_ID_IPV4_ADDR
&& id_b->type != IPSECDOI_ID_IPV6_ADDR) {
- plog(LLV_ERROR, LOCATION, NULL,
+ plog(LLV_WARNING, LOCATION, NULL,
"Expecting IP address type in main mode, "
"but %s.\n", s_ipsecdoi_ident(id_b->type));
- return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
}
}
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
3. I don't know why no communication between FreeBSD and Windows.
Between 23:02:18 and 23:02:53, Windows XP re-sent some packets.
But FreeBSD didn't response them. So Windows XP gave up.
/var/log/racoon.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sep 24 22:59:42 AAAA racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
Sep 24 22:59:42 AAAA racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
Sep 24 22:59:42 AAAA racoon: INFO: A.A.A.A[4500] used as isakmp port (fd=8)
Sep 24 22:59:42 AAAA racoon: INFO: A.A.A.A[4500] used for NAT-T
Sep 24 22:59:42 AAAA racoon: INFO: A.A.A.A[500] used as isakmp port (fd=9)
Sep 24 22:59:42 AAAA racoon: INFO: A.A.A.A[500] used for NAT-T
Sep 24 23:02:18 AAAA racoon: INFO: respond new phase 1 negotiation: A.A.A.A[500]<=>219.127.74.120[500]
Sep 24 23:02:18 AAAA racoon: INFO: begin Identity Protection mode.
Sep 24 23:02:18 AAAA racoon: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
Sep 24 23:02:18 AAAA racoon: INFO: received Vendor ID: FRAGMENTATION
Sep 24 23:02:18 AAAA racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Sep 24 23:02:18 AAAA racoon: INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
Sep 24 23:02:18 AAAA racoon: phase1(ident R msg1): 0.001648
Sep 24 23:02:18 AAAA racoon: INFO: Hashing A.A.A.A[500] with algo #2
Sep 24 23:02:18 AAAA racoon: INFO: NAT-D payload #0 verified
Sep 24 23:02:18 AAAA racoon: INFO: Hashing 219.127.74.120[500] with algo #2
Sep 24 23:02:18 AAAA racoon: INFO: NAT-D payload #1 doesn't match
Sep 24 23:02:18 AAAA racoon: INFO: NAT detected: PEER
Sep 24 23:02:18 AAAA racoon: oakley_dh_generate(MODP1024): 0.016724
Sep 24 23:02:18 AAAA racoon: INFO: Hashing 219.127.74.120[500] with algo #2
Sep 24 23:02:18 AAAA racoon: INFO: Hashing A.A.A.A[500] with algo #2
Sep 24 23:02:18 AAAA racoon: INFO: Adding remote and local NAT-D payloads.
Sep 24 23:02:18 AAAA racoon: oakley_dh_compute(MODP1024): 0.019675
Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=36): 0.000079
Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=145): 0.000020
Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=165): 0.000019
Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=165): 0.000019
Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=1): 0.000017
Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=20): 0.000017
Sep 24 23:02:18 AAAA racoon: phase1(ident R msg2): 0.044966
Sep 24 23:02:18 AAAA racoon: INFO: NAT-T: ports changed to: 219.127.74.120[4500]<->A.A.A.A[4500]
Sep 24 23:02:18 AAAA racoon: INFO: KA list add: A.A.A.A[4500]->219.127.74.120[4500]
Sep 24 23:02:18 AAAA racoon: alg_oakley_encdef_decrypt(3des klen=192 size=40): 0.000114
Sep 24 23:02:18 AAAA racoon: WARNING: Expecting IP address type in main mode, but FQDN.
Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=479): 0.000039
Sep 24 23:02:18 AAAA racoon: oakley_validate_auth(pre-shared key): 0.000094
Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=476): 0.000025
Sep 24 23:02:18 AAAA racoon: alg_oakley_encdef_encrypt(3des klen=192 size=40): 0.000018
Sep 24 23:02:18 AAAA racoon: phase1(ident R msg3): 0.000617
Sep 24 23:02:18 AAAA racoon: phase1(Identity Protection): 0.187999
Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=32): 0.000017
Sep 24 23:02:18 AAAA racoon: alg_oakley_encdef_encrypt(3des klen=192 size=56): 0.000020
Sep 24 23:02:18 AAAA racoon: INFO: ISAKMP-SA established A.A.A.A[4500]-219.127.74.120[4500] spi:fbb6e583624f6f16:dff5c9f16fb555d6
Sep 24 23:02:18 AAAA racoon: INFO: respond new phase 2 negotiation: A.A.A.A[4500]<=>219.127.74.120[4500]
Sep 24 23:02:18 AAAA racoon: alg_oakley_encdef_decrypt(3des klen=192 size=272): 0.000047
Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=251): 0.000027
Sep 24 23:02:18 AAAA racoon: INFO: no policy found, try to generate the policy : 219.127.74.120/32[4500] A.A.A.A/32[1701] proto=udp dir=in
Sep 24 23:02:18 AAAA racoon: INFO: Adjusting my encmode UDP-Transport->Transport
Sep 24 23:02:18 AAAA racoon: INFO: Adjusting peer's encmode UDP-Transport(61444)->Transport(2)
Sep 24 23:02:18 AAAA racoon: WARNING: trns_id mismatched: my:AES peer:3DES
Sep 24 23:02:18 AAAA last message repeated 2 times
Sep 24 23:02:18 AAAA racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
Sep 24 23:02:18 AAAA last message repeated 2 times
Sep 24 23:02:18 AAAA racoon: WARNING: trns_id mismatched: my:CAST peer:3DES
Sep 24 23:02:18 AAAA last message repeated 2 times
Sep 24 23:02:18 AAAA racoon: WARNING: authtype mismatched: my:hmac-sha256 peer:hmac-md5
Sep 24 23:02:18 AAAA racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5
Sep 24 23:02:18 AAAA racoon: phase2(???): 0.000984
Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=135): 0.000019
Sep 24 23:02:18 AAAA racoon: alg_oakley_encdef_encrypt(3des klen=192 size=136): 0.000039
Sep 24 23:02:18 AAAA racoon: phase2(quick R msg1): 0.006437
Sep 24 23:02:18 AAAA racoon: alg_oakley_encdef_decrypt(3des klen=192 size=24): 0.000032
Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=41): 0.000031
Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=41): 0.000017
Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=61): 0.000018
Sep 24 23:02:18 AAAA last message repeated 2 times
Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=41): 0.000016
Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=61): 0.000017
Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=61): 0.000017
Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=61): 0.000018
Sep 24 23:02:18 AAAA racoon: phase2(???): 0.000755
Sep 24 23:02:18 AAAA racoon: INFO: IPsec-SA established: ESP/Transport 219.127.74.120[4500]->A.A.A.A[4500] spi=74428117(0x46faed5)
Sep 24 23:02:18 AAAA racoon: phase2(quick): 1159106538.353179
Sep 24 23:02:18 AAAA racoon: INFO: IPsec-SA established: ESP/Transport A.A.A.A[4500]->219.127.74.120[4500] spi=106731081(0x65c9649)
Sep 24 23:02:18 AAAA racoon: ERROR: such policy does not already exist: "219.127.74.120/32[4500] A.A.A.A/32[1701] proto=udp dir=in"
Sep 24 23:02:18 AAAA racoon: ERROR: such policy does not already exist: "A.A.A.A/32[1701] 219.127.74.120/32[4500] proto=udp dir=out"
(sleep about 45sec)
Sep 24 23:02:53 AAAA racoon: alg_oakley_encdef_decrypt(3des klen=192 size=40): 0.000041
Sep 24 23:02:53 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=20): 0.000029
Sep 24 23:02:53 AAAA racoon: INFO: generated policy, deleting it.
Sep 24 23:02:53 AAAA racoon: INFO: purged IPsec-SA proto_id=ESP spi=106731081.
Sep 24 23:02:53 AAAA racoon: ERROR: pfkey X_SPDDELETE failed: Invalid argument
Sep 24 23:02:53 AAAA racoon: ERROR: pfkey X_SPDDELETE failed: Invalid argument
Sep 24 23:02:53 AAAA racoon: alg_oakley_encdef_decrypt(3des klen=192 size=56): 0.000034
Sep 24 23:02:53 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=32): 0.000023
Sep 24 23:02:53 AAAA racoon: INFO: purging ISAKMP-SA spi=fbb6e583624f6f16:dff5c9f16fb555d6.
Sep 24 23:02:53 AAAA racoon: INFO: purged IPsec-SA spi=74428117.
Sep 24 23:02:53 AAAA racoon: INFO: purged ISAKMP-SA spi=fbb6e583624f6f16:dff5c9f16fb555d6.
Sep 24 23:02:54 AAAA racoon: INFO: ISAKMP-SA deleted A.A.A.A[4500]-219.127.74.120[4500] spi:fbb6e583624f6f16:dff5c9f16fb555d6
Sep 24 23:02:54 AAAA racoon: INFO: KA remove: A.A.A.A[4500]->219.127.74.120[4500]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
my racoon.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
path pre_shared_key "/usr/local/etc/racoon/psk.txt";
listen
{
isakmp A.A.A.A[500];
isakmp_natt A.A.A.A[4500];
}
timer
{
natt_keepalive 10 sec;
}
remote anonymous
{
exchange_mode main;
nat_traversal on;
generate_policy on;
proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
}
sainfo anonymous
{
pfs_group modp1024;
lifetime time 28800 sec;
encryption_algorithm aes,blowfish,cast128,3des;
authentication_algorithm hmac_sha256,hmac_sha1,hmac_md5;
compression_algorithm deflate;
}
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
More information about the freebsd-net
mailing list