Re: [Ipsec-tools-devel] isakmp to isakmp-natt traffic return bug

[Jaco K. <ja...@ul...>]

Hi,

All sorted.  ipsec-tools 0.8.0 sorts out the issues I had, together with
the patch below and another to ignore illegal FQDN IDs as sent by
Windows XP when doing ISAKMP over NAT-T and all is finally working!

Kind Regards,
Jaco

On 06/06/11 22:12, Jaco Kroon wrote:
> Hi All,
>
> I've spotted some behavior which seems to be wrong, so I'm going to try
> and explain what I am seeing, hopefully someone can point out what's
> going wrong and where (and hopefully provide me with either a workaround
> or a fix).
>
> Firstly, I'm using two different clients, one Windows XP box (L2TP/IPSec
> client) and one Gentoo Linux client (racoon on the client).  My server
> is also Gentoo Linux, both Linux's has ipsec-tools , and the server has
> the following patch additionally installed (looking for road-warrior
> like functionality, so the patch is basically to enable the server to
> re-use the same pre-shared key for the whole internet - yea, I know I
> should be setting up an PKI but the client is looking for a global
> pre-shared key, we've advised the risks, but a client is always right,
> even when they're wrong).
>
> --- ipsec-tools-0.7.3.o/src/racoon/oakley.c     2009-08-13
> 11:18:45.000000000 +0200
> +++ ipsec-tools-0.7.3/src/racoon/oakley.c       2011-06-06
> 09:36:11.000000000 +0200
> @@ -2498,8 +2498,21 @@
>                                 plog(LLV_ERROR, LOCATION, iph1->remote,
>                                         "couldn't find the pskey for %s.\n",
>                                         saddrwop2str(iph1->remote));
> +                       }
> +               }
> +               if (iph1->authstr == NULL) {
> +                       /*
> +                        * If we could not locate a psk above try and locate
> +                        * the default psk, ie, "*".
> +                        */
> +                       iph1->authstr = privsep_getpsk("*", 1);
> +                       if (iph1->authstr == NULL) {
> +                               plog(LLV_ERROR, LOCATION, iph1->remote,
> +                                       "couldn't find the the default
> pskey either.\n");
>                                 goto end;
>                         }
> +                       plog(LLV_NOTIFY, LOCATION, iph1->remote,
> +                                       "Using default PSK.\n");
>                 }
>                 plog(LLV_DEBUG, LOCATION, NULL, "the psk found.\n");
>                 /* should be secret PSK */
>
> This just allows me to put a "* psk" line in psk.txt.  This part works.
>
> Pertinent config options on the server (please ask if I miss something):
>
> path pre_shared_key "/etc/racoon/psk.txt";
>
> remote anonymous {
>         exchange_mode main;
>         doi ipsec_doi;
>         situation identity_only;
>
>         nat_traversal on;
>         initial_contact off;
>         passive on;
>         proposal_check obey;
>
>         ... here goes the proposal (this passes) ...
> }
>
> In my first test case Ive got:
>
> client -> NAT GW -> inet <- Server
>
> On the NAT GW running tcpdump shows this:
>
> 18:29:02.939323 IP 172.24.5.10.500 > 46.134.75.12.500: [|isakmp]
> 18:29:02.939363 IP 46.241.240.125.500 > 46.134.75.12.500: [|isakmp]
> 18:29:03.385950 IP 46.134.75.12.500 > 46.241.240.125.500: [|isakmp]
> 18:29:03.385966 IP 46.134.75.12.500 > 172.24.5.10.500: [|isakmp]
> 18:29:04.609208 IP 172.24.5.10.500 > 46.134.75.12.500: [|isakmp]
> 18:29:04.609222 IP 46.241.240.125.500 > 46.134.75.12.500: [|isakmp]
> 18:29:05.060864 IP 46.134.75.12.500 > 46.241.240.125.500: [|isakmp]
> 18:29:05.060903 IP 46.134.75.12.500 > 172.24.5.10.500: [|isakmp]
> 18:29:06.169912 IP 172.24.5.10.4500 > 46.134.75.12.4500: NONESP-encap:
> [|isakmp]
> 18:29:06.169937 IP 46.241.240.125.4500 > 46.134.75.12.4500:
> NONESP-encap: [|isakmp]
> 18:29:14.635666 IP 46.134.75.12.500 > 46.241.240.125.4500: [|isakmp]
> 18:29:16.319506 IP 172.24.5.10.4500 > 46.134.75.12.4500: NONESP-encap:
> [|isakmp]
> 18:29:16.319522 IP 46.241.240.125.4500 > 46.134.75.12.4500:
> NONESP-encap: [|isakmp]
> 18:29:18.253730 IP 172.24.5.10.4500 > 46.134.75.12.4500:
> isakmp-nat-keep-alive
> 18:29:18.253743 IP 46.241.240.125.4500 > 46.134.75.12.4500:
> isakmp-nat-keep-alive
> 18:29:22.764709 IP 46.134.75.12.500 > 46.241.240.125.4500: [|isakmp]
> 18:29:24.771837 IP 46.134.75.12.500 > 46.241.240.125.4500: [|isakmp]
> 18:29:25.142336 IP 172.24.5.10.4500 > 46.134.75.12.4500: NONESP-encap:
> [|isakmp]
>
> 172.24.5.10 is the client.
> 46.134.75.12 is the server.
> 46.241.240.125 is the external IP of the NAT GW.
>
> As can be seen the NAT seems to work absolutely fine (all packets shows
> twice - tcpdump -i any, one packet with the external GW IP and the other
> with the internal IP), except the second and third last packets, which
> only shows on the external side.
>
> Looking at the above my assumption is that port 500 -> 500 opens a
> mapping in the connection tracking table on the GW, thus the traffic
> goes just fine in both directions.  Then the 4500 -> 4500 packet does
> exactly the same and this is where the problem then comes in, the server
> still responds FROM port 500 to port 4500, seeing that the GW has no
> mapping for this incoming pair it has no choice but to drop the packet,
> preventing the security negotiation from completing.
>
> What I did to confirm that this was indeed the case is I installed the
> exact same server config a box on my LAN, and set nat_traversal to force.
>
> This resulted in a similar sequence of packets, with the exception that
> since there is no NAT the traffic from port 500 -> 4500 reached it's
> destination, and resulted in the traffic to complete correctly.
>
> I'm not all that familiar with the code so don't know where to go
> looking for this problem.  Or even whether 0.8.0 has perhaps fixed this
> already (didn't see anything obvious in the ChangeLog).  Kernels on my
> server and client is 2.6.37.2 in both cases.  My setup for setkey on the
> server:
>
> spdadd 0.0.0.0/0[1701] 0.0.0.0/0 udp -P out ipsec
>         esp/transport//require;
>
> spdadd 0.0.0.0/0 0.0.0.0/0[1701] udp -P in ipsec
>         esp/transport//require;
>
> For the client it's an exact reverse with the in and out keywords just
> swapped around.
>
> The above behavior was observed and confirmed using Linux as the NAT GW,
> but the client has reported the same error occuring on Windows behind at
> least two other unknown NAT gateways.
>
> As it stands the only "fix" I can see is a really ugly iptables based
> hack to rewrite the source port to port 4500 on all packets outbound to
> socket pairs that has originally been inbound to port 4500.  And
> honestly, that really feels like a massive kludge and I would not even
> know where to start with pulling off a hack like that anyway.
>
> Kind Regards,
> Jaco
>
> ------------------------------------------------------------------------------
> Simplify data backup and recovery for your virtual environment with vRanger.
> Installation's a snap, and flexible recovery options mean your data is safe,
> secure and there when you need it. Discover what all the cheering's about.
> Get your free trial download today. 
> http://p.sf.net/sfu/quest-dev2dev2 
> _______________________________________________
> Ipsec-tools-devel mailing list
> Ips...@li...
> https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel