Subject: Re: bin/30437 recent NATT changes breaks racoon
To: None <manu@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: Jeff Ito <jeffi@rcn.com>
List: netbsd-bugs
Date: 09/12/2005 11:12:02
The following reply was made to PR bin/30437; it has been noted by GNATS.

From: Jeff Ito <jeffi@rcn.com>
To: Emmanuel Dreyfus <manu@netbsd.org>
Cc: gnats-bugs@netbsd.org, spz@serpens.de
Subject: Re: bin/30437 recent NATT changes breaks racoon
Date: Mon, 12 Sep 2005 07:18:36 -0400

 On Fri, Sep 02, 2005 at 03:50:59PM +0000, Emmanuel Dreyfus wrote:
 >
 > On Fri, Sep 02, 2005 at 11:44:53AM -0400, Jeff Ito wrote:
 >
 > > On two -current machines with a non- NAT-T kernel and ipsec-tools
 > > 0.6.1 I still run into errors.  I believe that this may be due to
 > > the fact that ipsec-tools still has nat-t support built in.  Perhaps
 > > this is user error, or some piece of documentation I missed?
 > 
 > ipsec-tools should be able to work with NAT-T enabled on a non NAT-T 
 > kernel. If it does not it's a bug.
 > 
 > Awaiting for a fix, we might be able to find a workaround. Try this SPD:
 > spdadd 10.1.1.4/32 10.1.1.5/32 any 
 >     -P in ipsec esp/transport/10.1.1.4[0]-10.1.1.5[0]/require;
 > spdadd 10.1.1.5/32 10.1.1.4/32 any 
 >     -P out ipsec esp/transport/10.1.1.5[0]-10.1.1.4[0]/require;
 > 
 > And if it fails, that one:
 > spdadd 10.1.1.4/32 10.1.1.5/32 any 
 >     -P in ipsec esp/transport/10.1.1.4[500]-10.1.1.5[500]/require;
 > spdadd 10.1.1.5/32 10.1.1.4/32 any 
 >     -P out ipsec esp/transport/10.1.1.5[500]-10.1.1.4[500]/require;
 > 
 
 I've just tested this again, along with the SPD configurations
 suggested, and I can confirm that racoon fails to negotiate on
 a non NAT-T kernel.
 
 Here is what shows up in the logs:
 
 racoon: INFO: @(#)ipsec-tools 0.6.1 
 racoon: INFO: @(#)This product linked OpenSSL 0.9.7g-fips
 racoon: INFO: 10.10.50.21[500] used as isakmp port (fd=8)
 racoon: WARNING: 
 	setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
 racoon: INFO: IPsec-SA request for 10.10.50.20 
 	queued due to no phase1 found.
 racoon: INFO: initiate new phase 1 negotiation: 
 	10.10.50.21[500]<=>10.10.50.20[500]
 racoon: INFO: begin Identity Protection mode.
 racoon: INFO: received Vendor ID: DPD
 racoon: INFO: ISAKMP-SA established 
 	10.10.50.21[500]-10.10.50.20[500]
 	spi:46935f850b1314b1:ffe0ed518c8461c4
 racoon: INFO: initiate new phase 2 negotiation: 
 	10.10.50.21[500]<=>10.10.50.20[500]
 racoon: ERROR: pfkey UPDATE failed: No such file or directory
 racoon: INFO: IPsec-SA established: ESP/Transport 
 	10.10.50.21[0]->10.10.50.20[0] spi=8959429(0x88b5c5)
 racoon: ERROR: 10.10.50.20 give up to get IPsec-SA due to 
 	time up to wait.
 racoon: INFO: unsupported PF_KEY message REGISTER
 racoon: INFO: initiate new phase 2 negotiation:
         10.10.50.21[500]<=>10.10.50.20[500]
 racoon: ERROR: pfkey UPDATE failed: No such file or directory
 racoon: INFO: IPsec-SA established: ESP/Transport
         10.10.50.21[0]->10.10.50.20[0] spi=190476264(0xb5a6fe8)
 racoon: ERROR: 10.10.50.20 give up to get IPsec-SA due to
         time up to wait.
 
 
 
 Jeff