Subject: racoon/isakmp_natt broken in -current?
To: None <current-users@netbsd.org>
From: Brett Lymn <blymn@baesystems.com.au>
List: current-users
Date: 06/03/2005 21:57:19
Folks,
Firstly, let me confess that my userland is a little out of date but I
did update my sources and build and install a new racoon binary.
I have built and installed a new kernel that has the IPSEC_NAT_T
option set.
I had this all working without having to use NAT traversal for a long
long time but now I have bought an adsl router instead of the adsl
bridge I was using I now need to use NAT-T to set up my vpn tunnel.
What I have is a NetBSD box at my local end, at the remote end we have
a checkpoint fw-1 firewall, I want to build a site-to-site IPSEC
tunnel between the two... this _used_ to work fine until I complicated
my life with the router.
I have set up my ipsec.conf with the tunnel definitions, when I was
configuring for NATT I changed the local address to be the address
from the private address range I am using instead of the publically
routable IP address from my ISP. I set up racoon with the isakmp_natt
directive in the racoon.conf and start up racoon. When I try to ping
the remote network I can see racoon succeed in negotiating the IPSEC
tunnel, a check using setkey -D shows SADB entries for the local and
the remote networks (in both directions). In fact, if I try to ping
my local network from the remote network I can see ESP packets
arriving at the network interface of my local machine. Unfortunately,
it seems that is as far as they get - I don't see any decrypted
packets come out nor if I ping from the local net to the remote to I
see ESP traffic at all. I am quite willing to entertain the idea that
I have done something wrong but I don't know what.
In summary, I have:
1) setup the SPD so that the remote and local networks should be
encrypted, I have used the private address on the local end and the
"correct" public address on the other - these SPD entries used to work
before I started playing with NATT (except I had my ISP public address
as the endpoint at the local end)
2) setkey -D shows me a whole bunch of entries for both directions,
all in the "mature" state. I can see the byte counter (the current:
count) is incremented for one of the remote to local SA's when I try
to ping the local net from the remote one.
3) I am reasonably certain my routing is correct. I push all the
traffic out the interface that has the IPSEC endpoint on it.
4) A tcpdump on the interface shows ESP coming from the remote end
when I ping from the remote net to the local net (it is destined
for the correct interface) but no ESP when I ping local to remote.
5) The firewall on my adsl router is set to allow the relevant
traffic, the logs show no untoward blocks.
6) Racoon is configured to use NATT, the racoon logs show that it is
listening on the port (though my packet sniffs only show traffic on
port 500 both ways)
7) The checkpoint firewall seems to be quite happy that the tunnel is
built and encrypts traffic to the local net (I can see the ESP
packets in the tcpdump)
Anyone have an idea?
--
Brett Lymn