tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]


Le 21/05/2018 à 04:43, Chuck Zmudzinski a écrit :
After some debugging and browsing the source code of racoon I found that my
racoon was configured in such a way that racoon would report to the kernel
that it was using non-IKE markers even though non-IKE markers were not being
used. This happened when in racoon.conf I had something like:


Instead of this:


According to the racoon.conf man page, a socket will accept UDP-encapsulated
ESP traffic for NAT-Traversal when using the isakmp_natt statement in the
listen directive, but not when using the isakmp statement. In fact, however,
I discovered that NetBSD's racoon (NetBSD 7.x) will accept UDP-encapsulated
traffic even with the isakmp statement for port 4500, but it will report to
the kernel that it is using non-IKE markers when, as far as I can tell, it
actually is not using non-IKE markers. I observed this behavior for all
L2TP/IPSEC clients I tested, including Windows, iPhone, and netbsd/racoon.

When using the isakmp_natt statement for port 4500 in the listen directive,
racoon works as expected and does not report using non-IKE markers and
everything works as expected for RFC 3947/3948, for all clients I tested,
including Windows, iPhone, and a netbsd/racoon client.

The bottom line: I think if we remove UDP_ENCAP_ESPINUDP_NON_IKE option from
the kernel, also remove it from racoon.

Chuck Zmudzinski

It looks like the problem comes down to this branch [1]. I'm not sure how to
fix it.

It is kind of legitimate to ask for non-IKE markers when NATT_00 is compiled;
but at the same time, we may compile NATT_00 just because we want to support
remote hosts that for some reason use deprecated drafts. The initial intent,
in NetBSD, was the second case.

So I suggest we disable ENABLE_NATT_00. This will disable draft-00, in such a
way that racoon will never use non-IKE markers. Then we remove ESPINUDP_NON_IKE
from the kernel.

Can you recompile racoon without ENABLE_NATT_00 and test again? You should be
able to do so by uncommenting the #define in /src/lib/libipsec/config.h.



Home | Main Index | Thread Index | Old Index