NetBSD-Bugs archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
bin/47894: racoon w/NAT-T - pfkey update: wrong ports
>Number: 47894
>Category: bin
>Synopsis: racoon w/NAT-T - pfkey update: wrong ports
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Jun 05 12:35:00 +0000 2013
>Originator: Gergely Egervary
>Release: NetBSD 6.1-RC2
>Organization:
>Environment:
NetBSD galileo.yyyy.hu 6.1_RC2 NetBSD 6.1_RC2 (GALILEO) #1: Mon May 6 21:45:23
CEST 2013
root%galileo.yyyy.hu@localhost:/usr/src/sys/arch/amd64/compile/GALILEO amd64
>Description:
I'm trying to set up an IPSEC VPN connection with PSK. Without NAT, everything
works as expected. When client is behind NAT, I see the following log:
Jun 5 13:18:31 galileo racoon: INFO: respond new phase 1 negotiation:
server.ip.address[500]<=>client.ip.address[500]
Jun 5 13:18:31 galileo racoon: INFO: begin Identity Protection mode.
Jun 5 13:18:31 galileo racoon: INFO: received broken Microsoft ID: MS NT5
ISAKMPOAKLEY
Jun 5 13:18:31 galileo racoon: INFO: received Vendor ID: RFC 3947
Jun 5 13:18:31 galileo racoon: INFO: received Vendor ID:
draft-ietf-ipsec-nat-t-ike-02
Jun 5 13:18:31 galileo racoon: INFO: received Vendor ID: FRAGMENTATION
Jun 5 13:18:31 galileo racoon: [client.ip.address] INFO: Selected NAT-T
version: RFC 3947
Jun 5 13:18:31 galileo racoon: [server.ip.address] INFO: Hashing
server.ip.address[500] with algo #2
Jun 5 13:18:31 galileo racoon: INFO: NAT-D payload #0 verified
Jun 5 13:18:31 galileo racoon: [client.ip.address] INFO: Hashing
client.ip.address[500] with algo #2
Jun 5 13:18:31 galileo racoon: INFO: NAT-D payload #1 doesn't match
Jun 5 13:18:31 galileo racoon: INFO: NAT detected: PEER
Jun 5 13:18:31 galileo racoon: [client.ip.address] INFO: Hashing
client.ip.address[500] with algo #2
Jun 5 13:18:31 galileo racoon: [server.ip.address] INFO: Hashing
server.ip.address[500] with algo #2
Jun 5 13:18:31 galileo racoon: INFO: Adding remote and local NAT-D payloads.
Jun 5 13:18:31 galileo racoon: INFO: NAT-T: ports changed to:
client.ip.address[4500]<->server.ip.address[4500]
Jun 5 13:18:31 galileo racoon: INFO: KA list add:
server.ip.address[4500]->client.ip.address[4500]
Jun 5 13:18:31 galileo racoon: INFO: ISAKMP-SA established
server.ip.address[4500]-client.ip.address[4500]
spi:cbaa8379251aee41:812c9e31092837d4
Jun 5 13:18:31 galileo racoon: INFO: respond new phase 2 negotiation:
server.ip.address[4500]<=>client.ip.address[4500]
Jun 5 13:18:31 galileo racoon: INFO: Adjusting my encmode
UDP-Transport->Transport
Jun 5 13:18:31 galileo racoon: INFO: Adjusting peer's encmode
UDP-Transport(4)->Transport(2)
Jun 5 13:18:31 galileo racoon: INFO: IPsec-SA established: ESP/Transport
server.ip.address[500]->client.ip.address[500] spi=153285607(0x922f3e7)
Jun 5 13:18:31 galileo racoon: INFO: IPsec-SA established: ESP/Transport
server.ip.address[500]->client.ip.address[500] spi=2696216198(0xa0b4fe86)
See the last two entries - the IPsec-SA session should use udp/4500 instead of
udp/500...
log debug;
path pre_shared_key "/etc/racoon/psk.txt";
listen {
isakmp server.ip.address [500];
isakmp_natt server.ip.address [4500];
}
remote anonymous {
exchange_mode main;
nat_traversal on;
generate_policy off;
proposal_check obey;
send_cr off;
send_cert off;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2;
}
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
sainfo anonymous {
encryption_algorithm aes, 3des;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
}
>How-To-Repeat:
>Fix:
Home |
Main Index |
Thread Index |
Old Index