Re: IPsec vs ssh

To: SUENAGA Hiroki <hsuenaga%iij.ad.jp@localhost>
Subject: Re: IPsec vs ssh
From: Darren Reed <darrenr%netbsd.org@localhost>
Date: Thu, 14 Nov 2013 19:48:04 +1100

On 14/11/2013 12:32 PM, SUENAGA Hiroki wrote:
> 2013/11/14 5:19、Darren Reed <darrenr%netbsd.org@localhost>：
> 
>> 06:22:46.477581
>> sadb_msg{ version=2 type=1(GETSPI) errno=0 satype=3 len=10 reserved=0 seq=3 
>> pid=13808
>> sadb_ext{ len=2 type=1 }
>> sadb_sa{ spi=192737835 replay=64 state=6 auth=76 encrypt=125 
>> flags=0xfe01a8c0 }
>> sadb_ext{ len=3 type=5 }
>> sadb_address{ proto=255 prefixlen=32 reserved=0x0000 }
>> sockaddr{ len=16 family=2 port=4500 8da1044d  }
>> sadb_ext{ len=3 type=6 }
>> sadb_address{ proto=255 prefixlen=32 reserved=0x0000 }
>> sockaddr{ len=16 family=2 port=4500 0a0103fe  }
> 
> this GETSPI message lacks NAT-T-TYPE and NAT-T-PORT payloads,
> though the UPDATE message has NAT-T payloads. I think this
> is incorrect message sequence.
> 
> original racoon adds the NAT-T payloads around here.
> 
>  (racoon/pfkey.c)
>  894 int
>  895 pk_sendgetspi(iph2)
>  896         struct ph2handle *iph2;
>  897 {
>  ...
>  957 #ifdef ENABLE_NATT
>  958                 if (pr->udp_encap) {
>  959                         natt_type = iph2->ph1->natt_options->encaps_type;
>  960                         sport=extract_port(src);
>  961                         dport=extract_port(dst);
>  962                 }
>  963 #endif
>  ...
>  966                 if (pfkey_send_getspi_nat(
>  967                                 lcconf->sock_pfkey,
>  968                                 satype,
>  969                                 mode,
>  970                                 dst,                    /* src of SA */
>  971                                 src,                    /* dst of SA */
>  972                                 natt_type,
>  973                                 dport,
>  974                                 sport,

So the racoon in -current has "pr->udp_encap == 0" when it gets here.

This might be related to this message:

INFO: Adjusting my encmode UDP-Tunnel->Tunnel
INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)

So now I learn something interesting about ipsec.conf: the port
specifier does not support different policies, e.g. you cannot
have:

spadd 1.1.1.0/24 1.1.1.2/24 udp -P in 
esp/tunnel/2.2.2.2[4500]-3.3.3.3[4500]/require;
spadd 1.1.1.0/24 1.1.1.2/24 udp -P in 
esp/tunnel/2.2.2.2[500]-3.3.3.3[500]/require;

Turning "nat_traversal" off in racoon.conf makes less things work.

Darren

References:
- Re: IPsec vs ssh
  - From: John Nemeth
- Re: IPsec vs ssh
  - From: Darren Reed
- Re: IPsec vs ssh
  - From: Greg Troxel
- Re: IPsec vs ssh
  - From: Darren Reed
- Re: IPsec vs ssh
  - From: Greg Troxel
- Re: IPsec vs ssh
  - From: Darren Reed
- Re: IPsec vs ssh
  - From: SUENAGA Hiroki

Prev by Date: Re: IPsec vs ssh
Next by Date: Re: cubic patch
Previous by Thread: Re: IPsec vs ssh
Next by Thread: Re: IPsec vs ssh
Indexes:

Home | Main Index | Thread Index | Old Index