From: Marcus L. <ml...@no...> - 2005-08-23 21:50:21
|
I'm running HEAD from last week, with a 2.6.12.4 kernel. NAT-T appears not to work--it could be my NAT box, but the Contivity client works through it. I'm running 2.6.12.4, with the same version of ipsec-tools on both the client and server. Is NAT-T broken, or do I need to look elsewhere? -- Marcus Leech Mail: Dept 1A12, M/S: 04352P16 Security Standards Advisor Phone: (ESN) 393-9145 +1 613 763 9145 Advanced Technology Research Nortel Networks ml...@no... |
From: Matthias S. <mat...@ta...> - 2005-08-23 22:23:36
|
On Tue, Aug 23, 2005 at 05:49:42PM -0400, Marcus Leech wrote: > NAT-T appears not to work *What* does not work? The IKE negotiation or IPSec after the IKE negotiation? > I'm running 2.6.12.4, with the same version of ipsec-tools on both the client > and server. And which version of ipsec-tools is that? > Is NAT-T broken, or do I need to look elsewhere? NAT-T works fine under NetBSD 3.0_BETA with ipsec-tools 0.6.1. Kind regards -- Matthias Scheler Phone: +44 1223 200 648 Senior Software Developer Fax: +44 1223 200 641 Tadpole Computer Ltd. |
From: Marcus L. <ml...@no...> - 2005-08-23 22:31:30
|
Matthias Scheler wrote: > > On Tue, Aug 23, 2005 at 05:49:42PM -0400, Marcus Leech wrote: > > NAT-T appears not to work > > *What* does not work? The IKE negotiation or IPSec after the IKE negotiation? > IKE negotiation stalls shortly after startup, with it eventually timing out. This worked several months ago, with a 2.6.11 Kernel, and HEAD from several months aog. > > And which version of ipsec-tools is that? > HEAD from last week. Racoon starts a new phase 1 negotiation, begins aggressive mode, then gets a failure due to timeout. -- Marcus Leech Mail: Dept 1A12, M/S: 04352P16 Security Standards Advisor Phone: (ESN) 393-9145 +1 613 763 9145 Advanced Technology Research Nortel Networks ml...@no... |
From: Matthias S. <mat...@ta...> - 2005-08-23 22:33:55
|
On Tue, Aug 23, 2005 at 06:31:08PM -0400, Marcus Leech wrote: > > *What* does not work? The IKE negotiation or IPSec after the IKE > > negotiation? > IKE negotiation stalls shortly after startup, with it eventually timing out. > This worked several months ago, with a 2.6.11 Kernel, and HEAD from several > months aog. That sounds like a problem with your NAT router. Have you tried to enable "ike_frag"? > Racoon starts a new phase 1 negotiation, begins aggressive mode, then gets a > failure due to timeout. Have you tried using "tcpdump" or "ethereal" on both sides to find out where the packets get lost? Kind regards -- Matthias Scheler Phone: +44 1223 200 648 Senior Software Developer Fax: +44 1223 200 641 Tadpole Computer Ltd. |
From: Matthias S. <mat...@ta...> - 2005-08-23 22:36:19
|
On Tue, Aug 23, 2005 at 11:33:46PM +0100, Matthias Scheler wrote: > > IKE negotiation stalls shortly after startup, with it eventually timing > > out. > That sounds like a problem with your NAT router. Have you tried to > enable "ike_frag"? Another idea: Does your NAT router perhaps not handle traffic to port 4500 correctly? IKE negotiation will start on port 500 and later switch to port 4500 if NAT-T is used. If only traffic to port 500 get throught it would explain my the IKE exchange starts but doesn't finish. Kind regards -- Matthias Scheler Phone: +44 1223 200 648 Senior Software Developer Fax: +44 1223 200 641 Tadpole Computer Ltd. |
From: Marcus L. <ml...@no...> - 2005-08-24 14:30:53
|
That's one of the things I'm going to look at. But this was working at some point in the past, several months ago. The only thing that has changed is the ipsec-tools and kernel versions. I'm using a DLINK DI-624, if that tweaks anyones memory. I'm running the latest firmware available for my DLINK hardware (2.50), and my Contivity client on my other machine works just fine through the NAT. Matthias Scheler wrote: >On Tue, Aug 23, 2005 at 11:33:46PM +0100, Matthias Scheler wrote: > > >>>IKE negotiation stalls shortly after startup, with it eventually timing >>>out. >>> >>> >>That sounds like a problem with your NAT router. Have you tried to >>enable "ike_frag"? >> >> > >Another idea: >Does your NAT router perhaps not handle traffic to port 4500 correctly? >IKE negotiation will start on port 500 and later switch to port 4500 >if NAT-T is used. If only traffic to port 500 get throught it would >explain my the IKE exchange starts but doesn't finish. > > Kind regards > > > -- Marcus Leech Mail: Dept 1A12, M/S: 04352P16 Security Standards Advisor Phone: (ESN) 393-9145 +1 613 763 9145 Advanced Technology Research Nortel Networks ml...@no... |
From: Marcus L. <ml...@no...> - 2005-08-25 19:54:43
|
Well, I brought my NAT-T problems into the lab at work today, and plonked my mobile system down behind one of our "lab NATs" [sorry, couldn't resist], and everything worked flawlessly. So, I'm concluding that my DLINK DI-624, with "VPN passthrough" enabled doesn't seem to support ipsec-tools, although it allows Contivity Client traffic through without issue. The weird thing is that several months ago, I tried this configuration, and I recall it working flawlessly. Now, Contivity NAT support doesn't use port 4500, as far as I know. It uses port 10001, or something like that. Matthias Scheler wrote: >On Tue, Aug 23, 2005 at 11:33:46PM +0100, Matthias Scheler wrote: > > >>>IKE negotiation stalls shortly after startup, with it eventually timing >>>out. >>> >>> >>That sounds like a problem with your NAT router. Have you tried to >>enable "ike_frag"? >> >> > >Another idea: >Does your NAT router perhaps not handle traffic to port 4500 correctly? >IKE negotiation will start on port 500 and later switch to port 4500 >if NAT-T is used. If only traffic to port 500 get throught it would >explain my the IKE exchange starts but doesn't finish. > > Kind regards > > > -- Marcus Leech Mail: Dept 1A12, M/S: 04352P16 Security Standards Advisor Phone: (ESN) 393-9145 +1 613 763 9145 Advanced Technology Research Nortel Networks ml...@no... |
From: Umasankar M. <mum...@no...> - 2005-08-26 06:43:35
|
The floating port for Contivity NAT is configurable. It does not necessarily mandate 4500, though it works on 4500 also. -Uma. >>> "Marcus Leech" <ml...@no...> 08/25/05 7:54 pm >>> Well, I brought my NAT- T problems into the lab at work today, and plonked my mobile system down behind one of our "lab NATs" [sorry, couldn't resist], and everything worked flawlessly. So, I'm concluding that my DLINK DI- 624, with "VPN passthrough" enabled doesn't seem to support ipsec- tools, although it allows Contivity Client traffic through without issue. The weird thing is that several months ago, I tried this configuration, and I recall it working flawlessly. Now, Contivity NAT support doesn't use port 4500, as far as I know. It uses port 10001, or something like that. Matthias Scheler wrote: >On Tue, Aug 23, 2005 at 11:33:46PM +0100, Matthias Scheler wrote: > > >>>IKE negotiation stalls shortly after startup, with it eventually timing >>>out. >>> >>> >>That sounds like a problem with your NAT router. Have you tried to >>enable "ike_frag"? >> >> > >Another idea: >Does your NAT router perhaps not handle traffic to port 4500 correctly? >IKE negotiation will start on port 500 and later switch to port 4500 >if NAT- T is used. If only traffic to port 500 get throught it would >explain my the IKE exchange starts but doesn't finish. > > Kind regards > > > -- Marcus Leech Mail: Dept 1A12, M/S: 04352P16 Security Standards Advisor Phone: (ESN) 393- 9145 +1 613 763 9145 Advanced Technology Research Nortel Networks ml...@no... |