natt (again) in 7.2 stable and a forticlient
Ingo Flaschberger
if at xip.at
Fri Jul 24 12:06:20 UTC 2009
Dear Yvan,
>> I have tried to get natt at freebsd 7.2 stable with your patch
>> http://people.freebsd.org/~vanhu/NAT-T/patch-natt-7.2-2009-05-12.diff
>> and ipsec-tools 0.7.2 and 0.8-alpha20090525+natt running,
>> but have no success.
>
> http://people.freebsd.org/~vanhu/NAT-T/patch-natt-7.2-2009-05-12.diff
> will work with ipsec-tools 0.7.2 but NOT with 0.8-alpha20090525+natt.
seems to work with both versions.
>> negotiation works, but traffic from forticlient gives
>> esp_input_cb: authentication hash mismatch for packet in SA x.x.x.x/009320d9
>> error.
>
> Strange.... does this work with the same forticlient but without NAT-T ?
yes.
>> Also there is no traffic seen incoming at the forticlient, but leaves the
>> freebsd-box.
>
> Are you sure you don't have "something strange" on your network ?
> For example an old an ugly "IKE proxy" which would tries to "fix"
> traffic coming through UDP 500 ?
>
> Can you check what version of NAT-T is used by your forticlient ?
"draft"
If I use rfc-version of http://shrew.net/ ipsec-client (2.1.5-rc-2)
nat-t works.
> By default, ipsec-tools will announce support for RFC and drafts 00/01
> (we'll have to change that to only announce RFC by default).
I will try that.
> If forticlient announces/choices drafts 00/01, and if there is some
> kind of IKE proxy on the way, it will probably just won't work (and
> may explain authentication hashs mismatches....).
I have tried that behind 2 different nat-gw (freebsd and linux) and there
was definitley no ike proxy.
..
If i use draft-version with http://shrew.net/ ipsec-client, I see
valid incomming packets (icmp-pings), but ipsec-client tells that the
icmp-ping return packets have a unknown phase1 sa.
Kind regards,
Ingo Flaschberger
More information about the freebsd-net
mailing list