IPsec NAT-T to IPsec NAT-T

[Darren Reed <darrenr%netbsd.org@localhost>]

Maybe I'm approaching the solution wrong or maybe not..

My goal is to get two NetBSD hosts, each behind a NAT gateway
to talk to each other using IPsec using NAT-T.

This should work, shouldn't it?

Darren

From gateway 1, ipsec.conf:

spdadd 10.0.0.254/32 10.1.2.0/24 icmp
        -P out ipsec esp/tunnel/10.0.0.254-64.33.101.23/require;
spdadd 10.1.2.0/24 10.0.0.254/32 icmp
        -P in ipsec esp/tunnel/64.33.101.23-10.0.0.254/require;

spdadd 64.33.101.23/32 10.1.1.0/24 icmp
        -P in ipsec esp/tunnel/64.33.101.23-10.0.0.254/require;
spdadd 10.1.1.0/24 64.33.101.23/32 icmp
        -P out ipsec esp/tunnel/10.0.0.254-64.33.101.23/require;

spdadd 10.1.2.0/24 10.1.1.0/24 icmp
        -P in ipsec esp/tunnel/64.33.101.23[4500]-10.0.0.254[4500]/require;
spdadd 10.1.1.0/24 10.1.2.0/24 icmp
        -P out ipsec esp/tunnel/10.0.0.254[4500]-64.33.101.23[4500]/require;

and racoon.conf:

path pre_shared_key "/etc/ipsec-key.txt";

listen {
        isakmp_natt 10.0.0.254 [4500];
        isakmp 10.0.0.254 [500];
        strict_address;
}

remote anonymous
{
        exchange_mode main;
        lifetime time 24 hour;
        my_identifier address 10.0.0.254;
        peers_identifier address 64.33.101.23;
        ike_frag on;
        esp_frag 1440;
        initial_contact on;
        proposal_check claim;
        support_proxy on;
        nat_traversal force;
        proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group modp2048;
                lifetime time 30 hours;
                dh_group 2;
        }
        proposal_check obey;
}

sainfo anonymous
{
        pfs_group 2;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}

log debug;

mode_cfg {
        auth_source system;
        conf_source local;
        accounting none;
}

From gateway 2, ipsec.conf:
spdadd 10.0.0.254/32 10.1.2.0/24 icmp
        -P out ipsec esp/tunnel/10.0.0.254-177.3.11.43/require;
spdadd 10.1.2.0/24 10.0.0.254/32 icmp
        -P in ipsec esp/tunnel/177.3.11.43-10.0.0.254/require;

spdadd 177.3.11.43/32 10.1.1.0/24 icmp
        -P in ipsec esp/tunnel/177.3.11.43-10.0.0.254/require;
spdadd 10.1.1.0/24 177.3.11.43/32 icmp
        -P out ipsec esp/tunnel/10.0.0.254-177.3.11.43/require;

spdadd 10.1.2.0/24 10.1.1.0/24 icmp
        -P in ipsec esp/tunnel/177.3.11.43[4500]-10.0.0.254[4500]/require;
spdadd 10.1.1.0/24 10.1.2.0/24 icmp
        -P out ipsec esp/tunnel/10.0.0.254[4500]-177.3.11.43[4500]/require;

and racoon.conf:
path pre_shared_key "/etc/ipsec-key.txt";

listen {
        isakmp_natt 10.0.0.254 [4500];
        isakmp 10.0.0.254 [500];
        strict_address;
}

remote anonymous
{
        exchange_mode main;
        lifetime time 24 hour;
        my_identifier address 10.0.0.254;
        peers_identifier address 177.3.11.43;
        ike_frag on;
        esp_frag 1440;
        initial_contact on;
        proposal_check claim;
        support_proxy on;
        nat_traversal force;
        proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group modp2048;
                lifetime time 30 hours;
                dh_group 2;
        }
        proposal_check obey;
}

sainfo anonymous
{
        pfs_group 2;
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}

log debug;

mode_cfg {
        auth_source system;
        conf_source local;
        accounting none;
}