From: VANHULLEBUS Y. <va...@fr...> - 2005-01-17 08:33:28
|
On Sun, Jan 16, 2005 at 10:12:02PM -0500, Nathan W. Labadie wrote: > I'm currently running ipsec-tools 0.5-rc1 on linux kernel 2.6.10. I can > successfully set up a dial-up ipsec tunnel between my host (GODZILLA) > and the remote VPN endpoint's network using a pre-shared key and > aggressive mode. The remote endpoint is a Juniper/Netscreen firewall > running ScreenOS 5.0. GODZILLA is using a routable address in this > configuration. > > However, when I place GODZILLA behind a NAT'd firewall (specifically a > Dell TrueMobile 1184), the ipsec tunnel fails. I've enabled NAT-T and > have port forwarding enabled on the Dell TrueMobile. GODZILLA is using a > non-routable address at this point. The following error is in the logs: > > ---snip--- [.....] > Jan 15 20:07:30 godzilla racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00 > Jan 15 20:07:30 godzilla racoon: ERROR: ignore the packet, received unexpecting payload type 130. [....] I'm currently working on support for older drafts on ipsec-tools. Actualy, afaik, support for draft 00 is announced (with appropriate VendorID), but there is no effective support, neither in ipsec-tools or in the kernel. I have a patch in progress for ipsec-tool on branch 0.5, but I have to find a solution to tell the kernel that the traffic should be encapsulated using draft 00 (port 500 with non-IKE marker). If someone can do that part quickly, we may be able to have support for all drafts + RFC versions by the week. If no one else can do that part quickly, I'll work on that for FreeBSD and try to set up a quick doc to explain what's needed for other kernels, but it may be a bit longer. Yvan. |