tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Netbsd-5 racoon: Multiple Phase2 SAs generated when NAT-T enabled

Hi Yvan,

referring to the discussion some time ago (racoon-current having problems on 
NetBSD-5.0 branch-systems with and without NAT-T because of Kernels unadjusted 
PFkey-interface [1]) we discovered a similar problem using NetBSD-5.0 branch 
and its racoon-version when using NAT-T.

We tried to establish an IPsec-connection in tunnel-mode using NAT-T and 
aggressive-mode on two NetBSD-5.0 branch-systems using the stock netbsd-5 
racoon. We tried two different scenarios.

Scenario 1:
NetBSD-5.0-GWs directly connected via cross-link-cable, NAT-T forced on in both 
racoons (option "nat_traversal force;")

Scenario 2: 
NAT-Gateway in between doing source-NAT on initiators' IP, NAT-T set to on in 
both racoons  (option "nat_traversal on;")

Both scenarios result in unusable tunnels. When pings are sent from initiators 
LAN to responders LAN, Phase1 (ISAKMP) is completed successfully between the 
two GWs, but Phase2 (IPsec) is "looping". This means that after a timeout, a 
(additional) pair of Phase2-SAs is generated.
For our racoon.conf- and ipsec.conf-files as well as some debug-output for both 
scenarios please refer to [2].

We opened a PR regarding this issue (kern/42606).

Is it possible that all this problems exist because of the Kernels' 
PFkey-interface not being adjusted to changes in racoon since 5.0-branch or 
even earlier?

        - Daniel


A.P.E. GmbH
Hard- & Software Development
Daniel Zebralla
Galgenbergstraße 2a - Posthof
93053 Regensburg - Germany
Telefon +49 (941) 78385-460
Telefax +49 (941) 78385-150


A.P.E. GmbH  IT-Security
Sitz der Gesellschaft: Regensburg
Handelsregister: HRB 5953, Regensburg
Geschäftsführer: Dr. Dieter Steiner

Home | Main Index | Thread Index | Old Index