Re: UDP_ENCAP_ESPINUDP_NON_IKE

To: Maxime Villard <max%m00nbsd.net@localhost>, tech-net%NetBSD.org@localhost
Subject: Re: UDP_ENCAP_ESPINUDP_NON_IKE
From: Chuck Zmudzinski <frchuckz%gmail.com@localhost>
Date: Sat, 19 May 2018 14:52:02 -0400

On 5/19/2018 1:04 PM, Maxime Villard wrote:

Le 19/05/2018 à 16:57, Chuck Zmudzinski a écrit :
A little more information on my setup from what racoon logs show:
May 13 12:17:11 ave racoon: INFO: respond new phase 1 negotiation:192.168.xxx.xxx[500]<=>xxx.xxx.xxx.xxx[500]
May 13 12:17:11 ave racoon: INFO: begin Identity Protection mode.
May 13 12:17:11 ave racoon: INFO: received broken Microsoft ID: MSNT5 ISAKMPOAKLEY
May 13 12:17:11 ave racoon: INFO: received Vendor ID: RFC 3947
May 13 12:17:11 ave racoon: INFO: received Vendor ID:draft-ietf-ipsec-nat-t-ike-02
May 13 12:17:11 ave racoon: INFO: received Vendor ID: FRAGMENTATION
May 13 12:17:11 ave racoon: [68.40.135.16] INFO: Selected NAT-Tversion: RFC 3947
This is from a Microsoft Windows 10 client, and it reports using RFC3947 forNat-t version, yet in the NetBSD 7.x udp_usrreq.c code, my system isselectingthe UDP_ENCAP_ESPINUDP_NON_IKE case but I had to edit the skipvariable for
that case to what skip would be if the INP_ESPINUDP case was selected in
udp_usrreq.c to get my setup to work with the windows clients. If isconfusingto me, but my patch does work with windows clients but I don't knowif my
patch breaks other cases.
Well, at a first glance it looks like there's a problem with racoon.If it
uses RFC3947, it shouldn't use non-IKE markers.

That's what I was thinking also, but as I said I am using Microsoftclients with the AssumeUDPEncapsulationContextOnSendRule value set to 2in the Windows registry<https://support.microsoft.com/en-us/help/926179/how-to-configure-an-l2tp-ipsec-server-behind-a-nat-t-device-in-windows>,and maybe that is tricking racoon into using non-IKE markers. I can tryWindows clients with that value set to 0 or 1 and see if racoon is stillusing non-IKE markers.

Next week I will have some time to do some debugging and test my configuration also with a non-Windows client and see if it is still usingnon-IKE markers. I can try an iphone client and I also got a NetBSDclient that uses racoon to work with my patch but I never checked if itused non-IKE markers in that case. I will let you know what I find.


Chuck Zmudzinski

Follow-Ups:
- Re: UDP_ENCAP_ESPINUDP_NON_IKE
  - From: Chuck Zmudzinski

References:
- UDP_ENCAP_ESPINUDP_NON_IKE
  - From: Maxime Villard
- Re: UDP_ENCAP_ESPINUDP_NON_IKE
  - From: Chuck Zmudzinski
- Re: UDP_ENCAP_ESPINUDP_NON_IKE
  - From: Chuck Zmudzinski
- Re: UDP_ENCAP_ESPINUDP_NON_IKE
  - From: Maxime Villard

Prev by Date: Re: UDP_ENCAP_ESPINUDP_NON_IKE
Next by Date: Re: Routing between two internal networks
Previous by Thread: Re: UDP_ENCAP_ESPINUDP_NON_IKE
Next by Thread: Re: UDP_ENCAP_ESPINUDP_NON_IKE
Indexes:

Home | Main Index | Thread Index | Old Index