Re: [Ipsec-tools-devel] patch supporting several racoon VPN gatewaysbehind a natt router via different IP ports

[Wolfgang S. <wol...@di...>]

Since the picture of my previous email below didn't come through very well,
I am sending it again as a text file attachment.

Regards
Wolfgang


-----Ursprüngliche Nachricht-----
Von: Wolfgang Schmieder [mailto:wol...@di...] 
Gesendet: Dienstag, 8. November 2011 20:13
An: ips...@li...
Betreff: [Ipsec-tools-devel] patch supporting several racoon VPN
gatewaysbehind a natt router via different IP ports

Dear ipsec-tool maintainers


I'd like to introduce a patch which I needed for an actual usage scenario,
which is that I do have 2 racoon VPN Gateways behind a NAT-T router, each
being responsible for a VPN tunnel to a dedicate subnet. 

To use that feature, it is important to set the "unique" property in the
security policies as shown in the example below.

The change should be backward compatible/interoperable with
ipsec-tools-0.8.0

The patch is based on a CVS trunk snapshot from last sunday evening:
an...@an...:/cvsroot at 2011-11-06 22:00h MEZ plus my 4
previous patches
p1-2011-11-06_rename_pfkey_to_racoon_pfkey.patch.tar.bz2
p2-p1_memory_leak_fixes_parser.patch.tar.bz2,
p3-p2_individual_remote_natt_ports.patch.tar.bz2 and
p4-p3_bugfixes_and_cleanup.patch.tar.bz2

Example:

There is a subnet 192.168.90.0/24 with a racoon VPN Gateway 192.168.90.2 and
another subnet
192.168.91.0/24 with a racoon VPN Gateway 192.168.91.2 behind a NAT router.
A VPN tunnel
to 192.168.90.2 is established via port/natt-port 590/4590 and a VPN tunnel
192.168.91.1
is established via port/natt-port 591/4591. There are 4 port forwardings in
the NAT router
to the corresponding racoon VPN Gateways. Both VPN Gateways are in passive
mode and generate
policies.
There is another racoon VPN Client Gateway on network 192.168.80.0/24 on the
other side of 
the tunnel, which will initiate the connection. 

                                       port forwarding 590/4590
                                                                \
                                                                 \
+-------------+
                                                                      |
racoon VPN  |
 +-------------+     +-----------------+    +------------------+  +---+
192.168.90.2|
 |racoon VPN   |     |      router     |    |      router      | /
+-------------+
 |192.168.80.2 +-----+ <-192.168.80.1  |    |   192.168.90.1-> +- 
 +-------------+     |   172.16.80.1-> +----+ <-172.16.90.1    | \
+-------------+
                     +-----------------+    +------------------+  +---+
racoon VPN  |
                                                                      |
192.168.91.2|
                                                                /
+-------------+
                                                               /      
                                       port forwarding 591/4591

	

The security policies for the lef VPN Gateway 192.168.80.2 look as follows:

# policies for 192.168.90.0/24 public endpoint 172.16.90.1[590]
spdadd 192.168.80.0/24 192.168.90.0/24 any -P out ipsec
esp/tunnel/192.168.80.2-172.16.90.1/unique:590;
spdadd 192.168.90.0/24 192.168.80.0/24 any -P in  ipsec
esp/tunnel/172.16.90.1-192.168.80.2/unique:590;

# policies for 192.168.91.0/24 public endpoint 172.16.90.1[591]
spdadd 192.168.80.0/24 192.168.91.0/24 any -P out ipsec
esp/tunnel/192.168.80.2-172.16.90.1/unique:591;
spdadd 192.168.91.0/24 192.168.80.0/24 any -P in  ipsec
esp/tunnel/172.16.90.1-192.168.80.2/unique:591;

172.16.90.1 is representing the global internet IP address of the NAT router
with the 2 networks
192.168.90.0/24 and 193.168.91.0/24 behind. (They are in fact privat IP
addresses, but I used them
to simulate the Internet in a test bed with multiple Virtual Machines on my
PC).

Now I must somehow tell the racoon client VPN Gateway that it should use
port 590/4590 for the tunnel to remote network 192.168.90.0/24 and port
591/4591 for the tunnel to remote network 192.168.91.0/24.

Therefore I introduced a configuration extension in cfparse.y/racoon.conf
which looks as follows:
remote 172.16.90.1 { ...
...    
    destinations {
        192.168.90.2/24 [590], [4590]; # [port], [natt port]
        192.168.91.2/24 [591], [4591]; # [port], [natt port]
        
    }
...
}

listen {
	isakmp 192.168.80.2[590];
	isakmp_natt 192.168.80.2[4590];

	isakmp 192.168.80.2[591];
	isakmp_natt 192.168.80.2[4591];
}

With this extension I can tell racoon now which port to use for which remote
subnet.

Best regards
Wolfgang 

P.S.: 
I see that there could be an enhancement of this destination feature in the
future, so that racoon could optionally even generate the policies for the
active peer of the tunnel. This would have an advantage that the user has
only the racoon configuration file to setup a tunnel, and does not need to
care about the setkey command for adding policies.