natt (again) in 7.2 stable and a forticlient

[VANHULLEBUS Yvan]

On Thu, Jul 23, 2009 at 10:15:25PM +0200, Ingo Flaschberger wrote:
> Dear Yvan,

Hi.


> I have tried to get natt at freebsd 7.2 stable with your patch
> http://people.freebsd.org/~vanhu/NAT-T/patch-natt-7.2-2009-05-12.diff
> and ipsec-tools 0.7.2 and 0.8-alpha20090525+natt running,
> but have no success.

http://people.freebsd.org/~vanhu/NAT-T/patch-natt-7.2-2009-05-12.diff
will work with ipsec-tools 0.7.2 but NOT with 0.8-alpha20090525+natt.


> negotiation works, but traffic from forticlient gives
> esp_input_cb: authentication hash mismatch for packet in SA x.x.x.x/009320d9
> error.

Strange.... does this work with the same forticlient but without NAT-T ?


> Also there is no traffic seen incoming at the forticlient, but leaves the 
> freebsd-box.

Are you sure you don't have "something strange" on your network ?
For example an old an ugly "IKE proxy" which would tries to "fix"
traffic coming through UDP 500 ?

Can you check what version of NAT-T is used by your forticlient ?

By default, ipsec-tools will announce support for RFC and drafts 00/01
(we'll have to change that to only announce RFC by default).

If forticlient announces/choices drafts 00/01, and if there is some
kind of IKE proxy on the way, it will probably just won't work (and
may explain authentication hashs mismatches....).


> I have tried to figure out changes at freebsd 8.0 and the patchset
> http://people.freebsd.org/~bz/20090523-04-natt.diff, but that is at some
> places new code.

Thare are some changes, but basically, the code does the same thing
(but it does it in a cleaner way :-) ).


> Do you have any idea what breaks?
> Will it work at 8.0? and does it make sense to go with 8.0?
> (have seen some other ipsec patches from you that address stability)

You can also try 8.0 with a recent ipsec-tools HEAD, but I guess
you'll have the same result.



Yvan.