[Ipsec-tools-users] ipsec nat traversal

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

My friend and I are attempting to connect our networks using ipsec-tools vpn.

Our networks are as shown: one side uses 192.168.0.*/192.168.1.* and has an external ip of 212.1.2.3;
the other network uses 192.168.3.*/192.168.2.* and has external ip 81.4.5.6

       192.168.1.3     212.1.2.3     81.4.5.6          192.168.2.2        
+----------+       +-------+           +-------+         +----------+               
| local    |       | modem |  internet | modem |         | remote   |
| server   |-------|       |----....---|       |---------| server   |
|          |       +-------+           +-------+         |          |               
+---+------+      192.168.1.1              192.168.2.1   +---+------+               
    |                                                        |     
    |    192.168.0.0/24                192.168.3.0/24        |                   
    |    +--------------+              +--------------+      |
    |    | local client |-+            | remote client|-+    |
    +----+ pool         | |            | pool         | +----+
         +--------------+ |            +--------------+ |
           +--------------+             +---------------+

Obviously we need to use NAT-T to get through the 2 modem's (and around our ISP's network).

We tested out our racoon/setkey settings (without NAT) on a simple network of 4 machines representing
the servers and local client pools (excluding the modems) and that worked perfectly.

When we add the NAT traversal and try the vpn on our real networks, we can see the ISAKMP communications
working correctly (we believe) but we get no tunnel set up. We also see "failed to get sainfo" error messages.

We've tested the connection between our machines on ports 500 and 4500 (using telnet and a simple perl server
script).

Does anyone have any suggestions/hints on using nat traversal? Do you see any obvious mistakes with our setup?
I've included the racoon & setkey settings for the left side (the right side is the same just with the addresses
modified).

Any help would be welcome, thanks.

#-------------------------------------------------------------
# racoon.conf

path include "/etc/racoon";
path certificate "/etc/racoon/cert";

padding
{
	maximum_length 20;	# maximum padding length.
	randomize off;		# enable randomize length.
	strict_check off;	# enable strict check.
	exclusive_tail off;	# extract last one octet.
}

listen
{
	isakmp 192.168.1.3[500] ;
	isakmp_natt 192.168.1.3[4500];
	adminsock disabled;
}

timer
{
	natt_keepalive	10sec ;

	# These value can be changed per remote node.
	counter 5;		# maximum trying count to send.
	interval 20 sec;	# maximum interval to resend.
	persend 1;		# the number of packets per a send.

	# timer for waiting to complete each phase.
	phase1 30 sec;
	phase2 15 sec;
}

remote 81.4.5.6
{
	exchange_mode main,base,aggressive;
	nat_traversal on ;

	certificate_type x509 "vpnserver_cert.pem" "vpnserver_key.txt" ;
	verify_cert off;

	my_identifier asn1dn;
	peers_identifier asn1dn;
	verify_identifier on;

	generate_policy on;
	dpd_delay 20 ;
	ike_frag on;
	passive off ;

	proposal {
		encryption_algorithm 3des;
		hash_algorithm md5;
		authentication_method rsasig ;
		dh_group modp1024;
	}
}

sainfo address 192.168.0.0/24 any address 192.168.3.0/24 any 
{
	pfs_group modp768;
	lifetime time 10 minutes ;
	encryption_algorithm 3des;
	authentication_algorithm hmac_md5;
	compression_algorithm deflate;
}

sainfo address 192.168.0.0/24 any address 81.4.5.6 any 
{
	pfs_group modp768;
	lifetime time 10 minutes ;
	encryption_algorithm 3des;
	authentication_algorithm hmac_md5;
	compression_algorithm deflate;
}

sainfo address 192.168.1.3 any address 192.168.3.0/24 any 
{
	pfs_group modp768;
	lifetime time 10 minutes ;
	encryption_algorithm 3des;
	authentication_algorithm hmac_md5;
	compression_algorithm deflate;
}

sainfo address 192.168.1.3 any address 81.4.5.6 any 
{
	pfs_group modp768;
	lifetime time 10 minutes ;
	encryption_algorithm 3des;
	authentication_algorithm hmac_md5;
	compression_algorithm deflate;
}

#--------------------------------------------------
# setkey.conf

#!/usr/sbin/setkey -f

flush;
spdflush;

## local pool (192.168.0.0/24) and remote pool (192.168.3.0/24)
spdadd 192.168.0.0/24 192.168.3.0/24 any -P out ipsec
           esp/tunnel/192.168.1.3-81.4.5.6/require;
spdadd 192.168.3.0/24 192.168.0.0/24 any -P in ipsec
           esp/tunnel/81.4.5.6-192.168.1.3/require;

## local pool (192.168.0.0/24) and remote server (81.4.5.6)
spdadd 192.168.0.0/24 81.4.5.6 any -P out ipsec
           esp/tunnel/192.168.1.3-81.4.5.6/require;
spdadd 81.4.5.6 192.168.0.0/24 any -P in ipsec
           esp/tunnel/81.4.5.6-192.168.1.3/require;

## local inet (192.168.1.3) and remote pool (192.168.3.0/24)
spdadd 192.168.1.3 192.168.3.0/24 any -P out ipsec
           esp/tunnel/192.168.1.3-81.4.5.6/require;
spdadd 192.168.3.0/24 192.168.1.3 any -P in ipsec
           esp/tunnel/81.4.5.6-192.168.1.3/require;

## local inet (192.168.1.3) and remote server (81.4.5.6)
spdadd 192.168.1.3 81.4.5.6 any -P out ipsec
           esp/tunnel/192.168.1.3-81.4.5.6/require;
spdadd 81.4.5.6 192.168.1.3 any -P in ipsec
           esp/tunnel/81.4.5.6-192.168.1.3/require;