Subject: Re: bin/30437 recent NATT changes breaks racoon
To: None <manu@netbsd.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: Jeff Ito <jeffi@rcn.com>
List: netbsd-bugs
Date: 09/12/2005 11:12:02
The following reply was made to PR bin/30437; it has been noted by GNATS.
From: Jeff Ito <jeffi@rcn.com>
To: Emmanuel Dreyfus <manu@netbsd.org>
Cc: gnats-bugs@netbsd.org, spz@serpens.de
Subject: Re: bin/30437 recent NATT changes breaks racoon
Date: Mon, 12 Sep 2005 07:18:36 -0400
On Fri, Sep 02, 2005 at 03:50:59PM +0000, Emmanuel Dreyfus wrote:
>
> On Fri, Sep 02, 2005 at 11:44:53AM -0400, Jeff Ito wrote:
>
> > On two -current machines with a non- NAT-T kernel and ipsec-tools
> > 0.6.1 I still run into errors. I believe that this may be due to
> > the fact that ipsec-tools still has nat-t support built in. Perhaps
> > this is user error, or some piece of documentation I missed?
>
> ipsec-tools should be able to work with NAT-T enabled on a non NAT-T
> kernel. If it does not it's a bug.
>
> Awaiting for a fix, we might be able to find a workaround. Try this SPD:
> spdadd 10.1.1.4/32 10.1.1.5/32 any
> -P in ipsec esp/transport/10.1.1.4[0]-10.1.1.5[0]/require;
> spdadd 10.1.1.5/32 10.1.1.4/32 any
> -P out ipsec esp/transport/10.1.1.5[0]-10.1.1.4[0]/require;
>
> And if it fails, that one:
> spdadd 10.1.1.4/32 10.1.1.5/32 any
> -P in ipsec esp/transport/10.1.1.4[500]-10.1.1.5[500]/require;
> spdadd 10.1.1.5/32 10.1.1.4/32 any
> -P out ipsec esp/transport/10.1.1.5[500]-10.1.1.4[500]/require;
>
I've just tested this again, along with the SPD configurations
suggested, and I can confirm that racoon fails to negotiate on
a non NAT-T kernel.
Here is what shows up in the logs:
racoon: INFO: @(#)ipsec-tools 0.6.1
racoon: INFO: @(#)This product linked OpenSSL 0.9.7g-fips
racoon: INFO: 10.10.50.21[500] used as isakmp port (fd=8)
racoon: WARNING:
setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): Invalid argument
racoon: INFO: IPsec-SA request for 10.10.50.20
queued due to no phase1 found.
racoon: INFO: initiate new phase 1 negotiation:
10.10.50.21[500]<=>10.10.50.20[500]
racoon: INFO: begin Identity Protection mode.
racoon: INFO: received Vendor ID: DPD
racoon: INFO: ISAKMP-SA established
10.10.50.21[500]-10.10.50.20[500]
spi:46935f850b1314b1:ffe0ed518c8461c4
racoon: INFO: initiate new phase 2 negotiation:
10.10.50.21[500]<=>10.10.50.20[500]
racoon: ERROR: pfkey UPDATE failed: No such file or directory
racoon: INFO: IPsec-SA established: ESP/Transport
10.10.50.21[0]->10.10.50.20[0] spi=8959429(0x88b5c5)
racoon: ERROR: 10.10.50.20 give up to get IPsec-SA due to
time up to wait.
racoon: INFO: unsupported PF_KEY message REGISTER
racoon: INFO: initiate new phase 2 negotiation:
10.10.50.21[500]<=>10.10.50.20[500]
racoon: ERROR: pfkey UPDATE failed: No such file or directory
racoon: INFO: IPsec-SA established: ESP/Transport
10.10.50.21[0]->10.10.50.20[0] spi=190476264(0xb5a6fe8)
racoon: ERROR: 10.10.50.20 give up to get IPsec-SA due to
time up to wait.
Jeff