Re: bin/47894: racoon w/NAT-T - pfkey update: wrong ports

To: gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,gergely%egervary.hu@localhost
Subject: Re: bin/47894: racoon w/NAT-T - pfkey update: wrong ports
From: Egerváry Gergely <gergely%egervary.hu@localhost>
Date: Fri, 6 Jun 2014 10:35:00 +0000 (UTC)

The following reply was made to PR bin/47894; it has been noted by GNATS.

From: =?ISO-8859-2?Q?Egerv=E1ry_Gergely?= <gergely%egervary.hu@localhost>
To: gnats-bugs%NetBSD.org@localhost, gnats-admin%netbsd.org@localhost, 
 netbsd-bugs%netbsd.org@localhost
Cc: 
Subject: Re: bin/47894: racoon w/NAT-T - pfkey update: wrong ports
Date: Fri, 06 Jun 2014 11:16:27 +0200

 Now I'm testing on NetBSD-6.99.43 (Tue Jun  3 23:27:56 CEST 2014) and
 still does not work when client is behind NAT, get udp/500 instead of
 udp/4500:

 Jun  3 23:58:25 sandbox racoon: INFO: respond new phase 1 negotiation:
 server.ip.address[500]<=>client.ip.address[500]
 Jun  3 23:58:25 sandbox racoon: INFO: begin Identity Protection mode.
 Jun  3 23:58:25 sandbox racoon: INFO: received broken Microsoft ID: MS
 NT5 ISAKMPOAKLEY
 Jun  3 23:58:25 sandbox racoon: INFO: received Vendor ID: RFC 3947
 Jun  3 23:58:25 sandbox racoon: INFO: received Vendor ID:
 draft-ietf-ipsec-nat-t-ike-02
 Jun  3 23:58:25 sandbox racoon: INFO: received Vendor ID: FRAGMENTATION
 Jun  3 23:58:25 sandbox racoon: [client.ip.address] INFO: Selected NAT-T
 version: RFC 3947
 Jun  3 23:58:25 sandbox racoon: ERROR: invalid DH group 20.
 Jun  3 23:58:25 sandbox racoon: ERROR: invalid DH group 19.
 Jun  3 23:58:25 sandbox racoon: [server.ip.address] INFO: Hashing
 server.ip.address[500] with algo #2
 Jun  3 23:58:25 sandbox racoon: INFO: NAT-D payload #0 verified
 Jun  3 23:58:25 sandbox racoon: [client.ip.address] INFO: Hashing
 client.ip.address[500] with algo #2
 Jun  3 23:58:25 sandbox racoon: INFO: NAT-D payload #1 doesn't match
 Jun  3 23:58:25 sandbox racoon: INFO: NAT detected: PEER
 Jun  3 23:58:25 sandbox racoon: [client.ip.address] INFO: Hashing
 client.ip.address[500] with algo #2
 Jun  3 23:58:25 sandbox racoon: [server.ip.address] INFO: Hashing
 server.ip.address[500] with algo #2
 Jun  3 23:58:25 sandbox racoon: INFO: Adding remote and local NAT-D
 payloads.
 Jun  3 23:58:25 sandbox racoon: INFO: NAT-T: ports changed to:
 client.ip.address[4500]<->server.ip.address[4500]
 Jun  3 23:58:25 sandbox racoon: INFO: KA list add:
 server.ip.address[4500]->client.ip.address[4500]
 Jun  3 23:58:25 sandbox racoon: INFO: ISAKMP-SA established
 server.ip.address[4500]-client.ip.address[4500]
 spi:b7055991cbd8c99c:7633ebfe9ba94261
 Jun  3 23:58:25 sandbox racoon: INFO: respond new phase 2 negotiation:
 server.ip.address[4500]<=>client.ip.address[4500]
 Jun  3 23:58:25 sandbox racoon: INFO: Adjusting my encmode
 UDP-Transport->Transport
 Jun  3 23:58:25 sandbox racoon: INFO: Adjusting peer's encmode
 UDP-Transport(4)->Transport(2)
 Jun  3 23:58:25 sandbox racoon: INFO: IPsec-SA established:
 ESP/Transport server.ip.address[500]->client.ip.address[500]
 spi=166530160(0x9ed0c70)
 Jun  3 23:58:25 sandbox racoon: INFO: IPsec-SA established:
 ESP/Transport server.ip.address[500]->client.ip.address[500]
 spi=1453915857(0x56a8fed1)

 Any ideas how to fix this issue?
 Thank you.
 -- 
 Gergely EGERVARY

Follow-Ups:
- Re: bin/47894: racoon w/NAT-T - pfkey update: wrong ports
  - From: SUENAGA Hiroki

Prev by Date: Re: bin/47894: racoon w/NAT-T - pfkey update: wrong ports
Next by Date: lib/48879: libquota in threaded programs
Previous by Thread: Re: bin/47894: racoon w/NAT-T - pfkey update: wrong ports
Next by Thread: Re: bin/47894: racoon w/NAT-T - pfkey update: wrong ports
Indexes:

Home | Main Index | Thread Index | Old Index