Netbsd-5 racoon: Multiple Phase2 SAs generated when NAT-T enabled

To: VANHULLEBUS Yvan <vanhu%NetBSD.org@localhost>
Subject: Netbsd-5 racoon: Multiple Phase2 SAs generated when NAT-T enabled
From: "Daniel Zebralla (A.P.E. IT-Security - Hard- & Software Development)" <D.Zebralla%ape-net.com@localhost>
Date: Mon, 11 Jan 2010 16:40:42 +0100

Hi Yvan,

referring to the discussion some time ago (racoon-current having problems on 
NetBSD-5.0 branch-systems with and without NAT-T because of Kernels unadjusted 
PFkey-interface [1]) we discovered a similar problem using NetBSD-5.0 branch 
and its racoon-version when using NAT-T.

We tried to establish an IPsec-connection in tunnel-mode using NAT-T and 
aggressive-mode on two NetBSD-5.0 branch-systems using the stock netbsd-5 
racoon. We tried two different scenarios.

Scenario 1:
NetBSD-5.0-GWs directly connected via cross-link-cable, NAT-T forced on in both 
racoons (option "nat_traversal force;")

Scenario 2: 
NAT-Gateway in between doing source-NAT on initiators' IP, NAT-T set to on in 
both racoons  (option "nat_traversal on;")

Both scenarios result in unusable tunnels. When pings are sent from initiators 
LAN to responders LAN, Phase1 (ISAKMP) is completed successfully between the 
two GWs, but Phase2 (IPsec) is "looping". This means that after a timeout, a 
(additional) pair of Phase2-SAs is generated.
For our racoon.conf- and ipsec.conf-files as well as some debug-output for both 
scenarios please refer to [2].

We opened a PR regarding this issue (kern/42606).

Is it possible that all this problems exist because of the Kernels' 
PFkey-interface not being adjusted to changes in racoon since 5.0-branch or 
even earlier?

        - Daniel

[1]
http://mail-index.netbsd.org/tech-net/2009/12/18/msg001803.html
[2]
http://sourceforge.net/mailarchive/message.php?msg_name=83DEBFABE007144FB16E7C68C6E2E1FD164EC15A0D%40ape-server11.ape-net.local


A.P.E. GmbH
Hard- & Software Development
Daniel Zebralla
Galgenbergstraße 2a - Posthof
93053 Regensburg - Germany
Telefon +49 (941) 78385-460
Telefax +49 (941) 78385-150
D.Zebralla%ape-net.com@localhost
http://www.ape-net.com

_______________________________________

A.P.E. GmbH  IT-Security
Sitz der Gesellschaft: Regensburg
Handelsregister: HRB 5953, Regensburg
Geschäftsführer: Dr. Dieter Steiner

Follow-Ups:
- Re: Netbsd-5 racoon: Multiple Phase2 SAs generated when NAT-T enabled
  - From: VANHULLEBUS Yvan

Prev by Date: Re: tftp protocol
Next by Date: NetBSD -CURRENT / iwn firmware error
Previous by Thread: NetBSD5.0.1/i386 or amd64 vs. Realtek 8168B reases mac address
Next by Thread: Re: Netbsd-5 racoon: Multiple Phase2 SAs generated when NAT-T enabled
Indexes:

Home | Main Index | Thread Index | Old Index