From: Marcus D. L. <ml...@no...> - 2005-04-27 19:13:12
|
I did some testing of todays HEAD in my racoon<--->racoon configuration. Functionality appears to have been restored. A reminder of my config: roadwarrior behind NAT talking to racoon server both ends configured to either use hybrid_rsa or xauth_rsa, with modecfg, nat-t, and dpd. The server uses an external RADIUS server for verifying passwords. Something I tested this afternoon was TWO of these roadwarriors behind the same NAT (a D-LINK DI-624). The second roadwarrior coming online appears to steal the modecfg-ed address of the first. I thought that I had read that multiple-warriors behind NATs was now supported, but perhaps I mis-read something. -- Marcus Leech Mail: Dept 1A12, M/S: 04352P16 Security Standards Advisor Phone: (ESN) 393-9145 +1 613 763 9145 Strategic Standards, CTO Office Nortel Networks ml...@no... |
From: Andreas N. <Andreas.Nobel@FernUni-Hagen.de> - 2005-04-27 19:23:01
|
> I thought > that I had read that multiple-warriors behind NATs was >now supported, > but perhaps I mis-read something. "Make sure port numbers are retained in SA and policies so that NAT-T can work with multiple peers behind the same NAT. This also require code in the kernel, which has been committed to the NetBSD kernel for now. Also display ports in policies in setkey -DP" Noone has port Manu's work for Linux Kernel yet. |
From: <ma...@ne...> - 2005-04-27 19:28:50
|
Marcus D. Leech <ml...@no...> wrote: > Something I tested this afternoon was TWO of these roadwarriors > behind the same NAT (a D-LINK DI-624). The second roadwarrior coming online > appears to steal the modecfg-ed address of the first. I thought > that I had read that multiple-warriors behind NATs was now supported, > but perhaps I mis-read something. Yes: it require kernel support to work properly, and only NetBSD has that so far. What OS do you use? -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz ma...@ne... |
From: Larry B. <la...@gt...> - 2005-04-28 15:43:48
Attachments:
freebsd_nat-t.diff
|
For you enjoyment please find attched updated FreeBSD NAT-T patches. These patches are an attempt to sync the FreebSD patches up with what has been commited to NetBSD. I missed the ESP fragment support in src/sys/netinet/ip_output.c. I'll add this later. I also added support for using NAT-T from multiple clients with the same ip address with FAST_IPSEC. The IPSEC patches for multiple clients match those committed to NetBSD. I have not done any testing with IPSEC other than making sure things compile. Larry -- ------------------------------------------------------------------------ Larry Baird | http://www.gta.com Global Technology Associates, Inc. | Orlando, FL Email: la...@gt... | TEL 407-380-0220, FAX 407-380-6080 |
From: <ma...@ne...> - 2005-04-28 19:04:33
|
Larry Baird <la...@gt...> wrote: > I also added support for using NAT-T from multiple clients with the > same ip address with FAST_IPSEC. The IPSEC patches for multiple clients > match those committed to NetBSD. I have not done any testing with IPSEC > other than making sure things compile. Did you test the FAST_IPSEC version? -- Emmanuel Dreyfus Le cahier de l'admin BSD 2eme ed. est dans toutes les bonnes librairies http://www.eyrolles.com/Informatique/Livre/9782212114638/livre-bsd.php ma...@ne... |
From: Larry B. <la...@gt...> - 2005-04-29 12:56:15
|
On Thu, Apr 28, 2005 at 09:04:26PM +0200, Emmanuel Dreyfus wrote: > Larry Baird <la...@gt...> wrote: > > > I also added support for using NAT-T from multiple clients with the > > same ip address with FAST_IPSEC. The IPSEC patches for multiple clients > > match those committed to NetBSD. I have not done any testing with IPSEC > > other than making sure things compile. > > Did you test the FAST_IPSEC version? Yes. I configured two greenbow clients behind the same NAT device with small lifetimes. I then started continuous pings from both of the client workstations. No problems were found. Larry -- ------------------------------------------------------------------------ Larry Baird | http://www.gta.com Global Technology Associates, Inc. | Orlando, FL Email: la...@gt... | TEL 407-380-0220, FAX 407-380-6080 |
From: VANHULLEBUS Y. <va...@fr...> - 2005-04-29 14:37:14
|
On Fri, Apr 29, 2005 at 08:56:08AM -0400, Larry Baird wrote: > Yes. I configured two greenbow clients behind the same NAT device > with small lifetimes. I then started continuous pings from both of > the client workstations. No problems were found. Hi. I just made a *really quick* review of the diff between a sys tree + "official" patch and a sys tree with your new version of the patch. You should at least do a sed /IPSEC_NAT_T/ENABLE_NATT/ on the source tree, or a sed /ENABLE_NATT/IPSEC_NAT_T/ if you want, or something else, I don't know, but at least to have a single define for all NAT-T code in the kernel !!! I'll try to do some more checks on that patch (without FAST_IPSEC, but with multiple IPSEC peers behind the same IP) on next days, then commit it, as it seems to work with FAST_IPSEC. Yvan. |
From: Larry B. <la...@gt...> - 2005-04-29 15:08:20
|
Yvan, > I just made a *really quick* review of the diff between a sys tree + > "official" patch and a sys tree with your new version of the patch. > > You should at least do a sed /IPSEC_NAT_T/ENABLE_NATT/ on the source > tree, or a sed /ENABLE_NATT/IPSEC_NAT_T/ if you want, or something > else, I don't know, but at least to have a single define for all NAT-T > code in the kernel !!! As I emailed you before I like the option name IPSEC_NAT_T much better than ENABLE_NATT. Feel free to make this change in the patch. I'll do the same. > I'll try to do some more checks on that patch (without FAST_IPSEC, but > with multiple IPSEC peers behind the same IP) on next days, then > commit it, as it seems to work with FAST_IPSEC. What do you mean by commit it? Larry -- ------------------------------------------------------------------------ Larry Baird | http://www.gta.com Global Technology Associates, Inc. | Orlando, FL Email: la...@gt... | TEL 407-380-0220, FAX 407-380-6080 |
From: Emmanuel D. <ma...@ne...> - 2005-04-29 15:27:27
|
On Fri, Apr 29, 2005 at 11:08:16AM -0400, Larry Baird wrote: > > I'll try to do some more checks on that patch (without FAST_IPSEC, but > > with multiple IPSEC peers behind the same IP) on next days, then > > commit it, as it seems to work with FAST_IPSEC. > What do you mean by commit it? Yvan maintains a copy of the patch in ipsec-tools web site. Of course it would be better to have it committed in FreeBSD CVS. -- Emmanuel Dreyfus ma...@ne... |
From: Larry B. <la...@gt...> - 2005-04-29 15:51:01
|
On Fri, Apr 29, 2005 at 03:27:24PM +0000, Emmanuel Dreyfus wrote: > On Fri, Apr 29, 2005 at 11:08:16AM -0400, Larry Baird wrote: > > > I'll try to do some more checks on that patch (without FAST_IPSEC, but > > > with multiple IPSEC peers behind the same IP) on next days, then > > > commit it, as it seems to work with FAST_IPSEC. > > What do you mean by commit it? > > Yvan maintains a copy of the patch in ipsec-tools web site. > Of course it would be better to have it committed in FreeBSD CVS. I have been exchanging email with Sam Leffler about getting the patches committed to FreeBSD. After the patches have been verified by a few others, he has agreed to commit them to FreeBSD head and then to MFC them. Larry -- ------------------------------------------------------------------------ Larry Baird | http://www.gta.com Global Technology Associates, Inc. | Orlando, FL Email: la...@gt... | TEL 407-380-0220, FAX 407-380-6080 |
From: VANHULLEBUS Y. <va...@fr...> - 2005-04-29 15:23:28
|
On Fri, Apr 29, 2005 at 11:08:16AM -0400, Larry Baird wrote: > Yvan, > > > I just made a *really quick* review of the diff between a sys tree + > > "official" patch and a sys tree with your new version of the patch. > > > > You should at least do a sed /IPSEC_NAT_T/ENABLE_NATT/ on the source > > tree, or a sed /ENABLE_NATT/IPSEC_NAT_T/ if you want, or something > > else, I don't know, but at least to have a single define for all NAT-T > > code in the kernel !!! > As I emailed you before I like the option name IPSEC_NAT_T much better > than ENABLE_NATT. Feel free to make this change in the patch. I'll > do the same. Yes, IPSEC_NAT_T may be a better choice, I'll clean up that during the review... > > I'll try to do some more checks on that patch (without FAST_IPSEC, but > > with multiple IPSEC peers behind the same IP) on next days, then > > commit it, as it seems to work with FAST_IPSEC. > What do you mean by commit it? Commiting on the htdoc CVS, which is the base repository for the web site, where the patch can currently be found. And we should do "something" to make such patches more easy to find... Yvan. |
From: Eric M. <e-m...@ki...> - 2005-04-29 15:39:23
|
VANHULLEBUS Yvan <va...@fr...> writes: Hi Yvan, > Commiting on the htdoc CVS, which is the base repository for the web > site, where the patch can currently be found. Which branch is your patch against ? =C9ric Masson --=20 Normalement un enfant a le droit de monter =E0 l'avant de l'automobile =E0 partir de 10 ans, =E2ge =E0 partir duquel il compte pour une personne. A= vant il ne compte que pour une demi-personne. -+- MCG in : <http://www.le-gnu.net> - En voiture Simone -+- |