[Ipsec-tools-devel] NAT-T FreeBSD Patch (WAS: A possible hint/clue)

[Brian A. S. <lav...@sp...>]

Guys:

I really don't know what's up with this code.

I decided to recompile racoon(8) w/o NAT-T.  I have support patched into 
my RELENG_6 kernel sources.  Most of my clients are behind generic 
residential class stateful NAT routers/firewalls.

I've confirmed with two OS/X clients and two WinXP clients that they can 
connect w/o NAT-T Tunneling.  It was my understanding that both ends 
needed to be aware of NAT-T, and the intermediary router as well 
(semi-stateful UDP)

Deletion and re-Creation of tunnels works fine.

Disconnecting clients leave stale SPD/SAD entries still, but upon 
reconnect they seem tobe properly overwritten.

Perhaps this is platform specific.  Aer any of the primary developers on 
FBSD?

~BAS

On Tue, 5 Jun 2007, Brian A. Seklecki wrote:

>
> When i break out of a foreground racoon(8), I get several of these:
>
> 020f1600 0e000000 00000000 e26a0000 03000500 ff200000 10020000 8190000a
> 00000000 00000000 03000600 ff000000 10020000 00000000 00000000 00000000
> 04000300 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> 02001200 020001cd 00000000 cdcdcdcd
> 2007-06-05 23:59:37: ERROR: pfkey X_SPDDELETE failed: Invalid argument
>
> As I understand it, X_SPDDELETE is a sysctl in src/sys/netkey/key.c and
> src/sys/netipsec/key.c.
>
>
>
> ~BAS
>
>
> On Tue, 5 Jun 2007, Brian A. Seklecki wrote:
>
>>
>>
>> Here is my (semi) working cisco vpn config:
>>
>> ----------------------------------------------------------
>>
>> path include "/etc/racoon" ;
>> path pre_shared_key "/etc/racoon/psk.txt" ;
>> path script "/etc/racoon" ;
>>
>> log info;
>>
>> remote anonymous {
>>         exchange_mode aggressive;
>>         doi ipsec_doi;
>>         nonce_size 16;
>>         lifetime time 1440 min; # sec,min,hour
>>         initial_contact off;
>>
>>         proposal_check obey; # obey, strict or claim
>>
>>         my_identifier fqdn "headend";
>>         verify_identifier off;
>>
>>         support_proxy off;
>>         ike_frag on;
>>
>>         mode_cfg on;
>>         weak_phase1_check on;
>>         #script "phase1_up.sh" phase1_up;
>>         #script "phase1_down.sh" phase1_down;
>>         generate_policy on;
>>         passive on;
>>         nat_traversal on;
>>
>>         #### Roadwarriors
>>         proposal {
>>                 encryption_algorithm 3des;
>>                 hash_algorithm sha1;
>>                 authentication_method xauth_psk_server;
>>                 #dh_group modp1023;
>>                 dh_group 2;
>>         }
>> }
>>
>> sainfo anonymous {
>>         encryption_algorithm 3des;
>>         authentication_algorithm hmac_sha1;
>>         compression_algorithm deflate;
>>         lifetime time 3600 sec;
>>         pfs_group 2;
>> }
>>
>> mode_cfg {
>>         auth_source system;
>>         auth_groups "ipsec";
>>         group_source system;
>>         conf_source local;
>>         pool_size 15;
>>         network4 129.144.0.10;
>>         netmask4 255.255.255.255;
>>         dns4 192.168.4.55;
>>         wins4 192.168.4.55;
>>         split_network include 192.168.3.0/24, 129.144.0.0/12;
>>         default_domain "tellmeaboutyourhate.com";
>>         split_dns "tellmeaboutyourhate.com";
>> }
>>
>>
>> ----------------------------------------------------------
>>
>> I'm running -rHEAD src from NetBSD CVS on FreeBSD.
>>
>> I'm half-tempted to install Fedora and try again.
>>
>>
>> ~BAS
>>
>> On Tue, 5 Jun 2007, Brian A. Seklecki wrote:
>>
>>>
>>> I have the experimental code in HEAD working; partially.  There are
>>> issues deleting SPD/SAD entries when clients disconnect.  I may play with
>>> that more tonight.
>>>
>>> FreeBSD 6.2/i386.
>>>
>>> ~BAS
>>>
>>> On Tue, 5 Jun 2007, spo...@sm... wrote:
>>>
>>>> Hi,
>>>>
>>>> is there anybody who has got a working configuration using the racoon
>>>> split_network option in combination with the Cisco VPN Client?
>>>>
>>>> The full-tunnel mode works fine with the CiscoVPN Client, but the split_network
>>>> option doesn't work. The client connects fine and recives the given network
>>>> options. But it seems the Client doesn't send any packages through the tunnel.
>>>>
>>>> Regards,
>>>>
>>>> Sebastian
>>>>
>>>>
>>>> -------------------------------------------------------------------------
>>>> This SF.net email is sponsored by DB2 Express
>>>> Download DB2 Express C - the FREE version of DB2 express and take
>>>> control of your XML. No limits. Just data. Click to get it now.
>>>> http://sourceforge.net/powerbar/db2/
>>>> _______________________________________________
>>>> Ipsec-tools-devel mailing list
>>>> Ips...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
>>>>
>>>
>>> l8*
>>> 	-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
>>> 	       http://www.spiritual-machines.org/
>>>
>>>     "Guilty? Yeah. But he knows it. I mean, you're guilty.
>>>     You just don't know it. So who's really in jail?"
>>>     ~James Maynard Keenan
>>>
>>>
>>> -------------------------------------------------------------------------
>>> This SF.net email is sponsored by DB2 Express
>>> Download DB2 Express C - the FREE version of DB2 express and take
>>> control of your XML. No limits. Just data. Click to get it now.
>>> http://sourceforge.net/powerbar/db2/
>>> _______________________________________________
>>> Ipsec-tools-devel mailing list
>>> Ips...@li...
>>> https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
>>>
>>
>> l8*
>> 	-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
>> 	       http://www.spiritual-machines.org/
>>
>>     "Guilty? Yeah. But he knows it. I mean, you're guilty.
>>     You just don't know it. So who's really in jail?"
>>     ~James Maynard Keenan
>>
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by DB2 Express
>> Download DB2 Express C - the FREE version of DB2 express and take
>> control of your XML. No limits. Just data. Click to get it now.
>> http://sourceforge.net/powerbar/db2/
>> _______________________________________________
>> Ipsec-tools-devel mailing list
>> Ips...@li...
>> https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
>>
>
> l8*
> 	-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
> 	       http://www.spiritual-machines.org/
>
>     "Guilty? Yeah. But he knows it. I mean, you're guilty.
>     You just don't know it. So who's really in jail?"
>     ~James Maynard Keenan
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by DB2 Express
> Download DB2 Express C - the FREE version of DB2 express and take
> control of your XML. No limits. Just data. Click to get it now.
> http://sourceforge.net/powerbar/db2/
> _______________________________________________
> Ipsec-tools-devel mailing list
> Ips...@li...
> https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
>

l8*
 	-lava (Brian A. Seklecki - Pittsburgh, PA, USA)
 	       http://www.spiritual-machines.org/

     "Guilty? Yeah. But he knows it. I mean, you're guilty.
     You just don't know it. So who's really in jail?"
     ~James Maynard Keenan