From owner-freebsd-questions@FreeBSD.ORG Tue Aug 19 12:30:29 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A4D551065683 for ; Tue, 19 Aug 2008 12:30:29 +0000 (UTC) (envelope-from rvm@CBORD.com) Received: from smssmtp.cbord.com (mx1.cbord.com [24.39.174.11]) by mx1.freebsd.org (Postfix) with ESMTP id 6370C8FC13 for ; Tue, 19 Aug 2008 12:30:28 +0000 (UTC) (envelope-from rvm@CBORD.com) X-AuditID: ac1f0165-00000ef0000004fc-05-48aabcad22bb Received: from Email.cbord.com ([10.1.1.100]) by smssmtp.cbord.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 19 Aug 2008 08:29:33 -0400 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Tue, 19 Aug 2008 08:29:08 -0400 Message-ID: In-Reply-To: <48AAB224.9000208@davidmurray.name> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: IPsec with NAT-T in transport mode dropping all packets? Thread-Index: AckB8OHJIAsyVAklRKmHm3ck4mJm4gABREkg References: <489AE41C.1070504@davidmurray.name> <48AAB224.9000208@davidmurray.name> From: "Bob McConnell" To: "David Murray" , X-Brightmail-Tracker: AAAAAA== Cc: Subject: RE: IPsec with NAT-T in transport mode dropping all packets? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Aug 2008 12:30:29 -0000 -----Original Message----- From: owner-freebsd-questions@freebsd.org [mailto:owner-freebsd-questions@freebsd.org] On Behalf Of David Murray Sent: Tuesday, August 19, 2008 7:45 AM To: freebsd-questions@freebsd.org Subject: Re: IPsec with NAT-T in transport mode dropping all packets? Hello again all, On Thu 7/8/08 1:01 pm, David Murray wrote: > I'm having a bit of trouble getting IPsec working in transport mode=20 > with NAT-T. > > Briefly, the background is that I'm trying to configure a FreeBSD box=20 > to provide to remote Windows clients with VPN access to the network it > sits on. To that end, I've been trying to construct a solution with=20 > the following: > > 1) FreeBSD (RELENG_7_0), kernel built with options IPSEC and=20 > IPSEC_NAT_T, and patched with > 2) the NAT-T patch at=20 > http://vanhu.free.fr/FreeBSD/patch-natt-freebsd7-2008-03-11.diff, > 3) ipsec-tools (0.7.0) for racoon for key exchange, and > 4) mpd (5.1) for L2TP. > > I have two security policy entries in ipsec.conf, intended to encrypt=20 > L2TP traffic: > > spdadd 82.16.99.99[1701] 0.0.0.0/0 udp -P out ipsec=20 > esp/transport//require; > spdadd 0.0.0.0/0 82.16.99.99[1701] udp -P in ipsec=20 > esp/transport//require; > > The tricky key negotiation all seems to be working; when I initiate a=20 > connection from a Windows client, racoon negotiates security=20 > associations (I'm using certificates): > > racoon: INFO: IPsec-SA established: ESP/Transport=20 > 195.248.102.183[4500]->82.16.99.99[4500] spi=3D73448711(0x460bd07) > racoon: INFO: IPsec-SA established: ESP/Transport=20 > 82.16.99.99[4500]->195.248.102.183[4500] spi=3D2159874738(0x80bd12b2) > > However, mpd's log doesn't show any evidence of a single packet=20 > arriving (and the client eventually gives up). No takers, so I guess this is either a stupid question or a tricky=20 question! Perhaps I should have asked over on freebsd-net@, but I=20 presumed to ask here first, since I've got no reason to suspect anything other than operator error at the moment. Perhaps I could try a simpler question: has anyone got a L2TP/IPSec=20 roadwarrior-style VPN working where the clients (initiators) are behind NAT? Since my first post, I've tried initiating a connection from a client=20 directly connected to the network I'm trying to VPN in to (so pointless, but a way of testing without NAT) and that works just fine, so I can=20 provide differences between the logs of a failed and working connection. Thanks for any hints! -----End Original Message----- It has been a long time since I looked at IPSEC, but my understanding was that it was designed so that it could not work through either NAT or proxy firewalls. Both schemes change header fields that are considered immutable by IPSEC. So it breaks a checksum. Wouldn't it be better to set up SSH tunnels or a secure VPN? Bob McConnell