Re: UDP_ENCAP_ESPINUDP_NON_IKE

To: Chuck Zmudzinski <frchuckz%gmail.com@localhost>, tech-net%NetBSD.org@localhost
Subject: Re: UDP_ENCAP_ESPINUDP_NON_IKE
From: Maxime Villard <max%m00nbsd.net@localhost>
Date: Mon, 21 May 2018 13:38:09 +0200

Le 21/05/2018 à 04:43, Chuck Zmudzinski a écrit :

After some debugging and browsing the source code of racoon I found that my
racoon was configured in such a way that racoon would report to the kernel
that it was using non-IKE markers even though non-IKE markers were not being
used. This happened when in racoon.conf I had something like:

listen
{
     isakmp 192.168.xxx.xxx[500];
     isakmp 192.168.xxx.xxx[4500];
}

Instead of this:

listen
{
     isakmp 192.168.xxx.xxx[500];
     isakmp_natt 192.168.xxx.xxx[4500];
}

According to the racoon.conf man page, a socket will accept UDP-encapsulated
ESP traffic for NAT-Traversal when using the isakmp_natt statement in the
listen directive, but not when using the isakmp statement. In fact, however,
I discovered that NetBSD's racoon (NetBSD 7.x) will accept UDP-encapsulated
traffic even with the isakmp statement for port 4500, but it will report to
the kernel that it is using non-IKE markers when, as far as I can tell, it
actually is not using non-IKE markers. I observed this behavior for all
L2TP/IPSEC clients I tested, including Windows, iPhone, and netbsd/racoon.

When using the isakmp_natt statement for port 4500 in the listen directive,
racoon works as expected and does not report using non-IKE markers and
everything works as expected for RFC 3947/3948, for all clients I tested,
including Windows, iPhone, and a netbsd/racoon client.

The bottom line: I think if we remove UDP_ENCAP_ESPINUDP_NON_IKE option from
the kernel, also remove it from racoon.

Chuck Zmudzinski


It looks like the problem comes down to this branch [1]. I'm not sure how to
fix it.

It is kind of legitimate to ask for non-IKE markers when NATT_00 is compiled;
but at the same time, we may compile NATT_00 just because we want to support
remote hosts that for some reason use deprecated drafts. The initial intent,
in NetBSD, was the second case.

So I suggest we disable ENABLE_NATT_00. This will disable draft-00, in such a
way that racoon will never use non-IKE markers. Then we remove ESPINUDP_NON_IKE
from the kernel.

Can you recompile racoon without ENABLE_NATT_00 and test again? You should be
able to do so by uncommenting the #define in /src/lib/libipsec/config.h.

Maxime

[1] https://nxr.netbsd.org/xref/src/crypto/dist/ipsec-tools/src/racoon/isakmp.c?r=1.78#1648

Follow-Ups:
- Re: UDP_ENCAP_ESPINUDP_NON_IKE
  - From: Chuck Zmudzinski

References:
- UDP_ENCAP_ESPINUDP_NON_IKE
  - From: Maxime Villard
- Re: UDP_ENCAP_ESPINUDP_NON_IKE
  - From: Chuck Zmudzinski
- Re: UDP_ENCAP_ESPINUDP_NON_IKE
  - From: Chuck Zmudzinski
- Re: UDP_ENCAP_ESPINUDP_NON_IKE
  - From: Maxime Villard
- Re: UDP_ENCAP_ESPINUDP_NON_IKE
  - From: Chuck Zmudzinski
- Re: UDP_ENCAP_ESPINUDP_NON_IKE
  - From: Chuck Zmudzinski

Prev by Date: Re: UDP_ENCAP_ESPINUDP_NON_IKE
Next by Date: Re: UDP_ENCAP_ESPINUDP_NON_IKE
Previous by Thread: Re: UDP_ENCAP_ESPINUDP_NON_IKE
Next by Thread: Re: UDP_ENCAP_ESPINUDP_NON_IKE
Indexes:

Home | Main Index | Thread Index | Old Index