From owner-freebsd-stable@FreeBSD.ORG Tue Apr 24 20:10:10 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 398C6106564A for ; Tue, 24 Apr 2012 20:10:10 +0000 (UTC) (envelope-from longwitz@incore.de) Received: from dss.incore.de (dss.incore.de [195.145.1.138]) by mx1.freebsd.org (Postfix) with ESMTP id BC8278FC0C for ; Tue, 24 Apr 2012 20:10:09 +0000 (UTC) Received: from inetmail.dmz (inetmail.dmz [10.3.0.3]) by dss.incore.de (Postfix) with ESMTP id D77C05C45D for ; Tue, 24 Apr 2012 22:10:02 +0200 (CEST) X-Virus-Scanned: amavisd-new at incore.de Received: from dss.incore.de ([10.3.0.3]) by inetmail.dmz (inetmail.dmz [10.3.0.3]) (amavisd-new, port 10024) with LMTP id xWSAxylRo-YB for ; Tue, 24 Apr 2012 22:10:02 +0200 (CEST) Received: from mail.incore (fwintern.dmz [10.0.0.253]) by dss.incore.de (Postfix) with ESMTP id EF2F85C452 for ; Tue, 24 Apr 2012 22:10:01 +0200 (CEST) Received: from bsdmhs.longwitz (unknown [192.168.99.6]) by mail.incore (Postfix) with ESMTP id 8FBFF45048 for ; Tue, 24 Apr 2012 22:10:01 +0200 (CEST) Message-ID: <4F970899.2040105@incore.de> Date: Tue, 24 Apr 2012 22:10:01 +0200 From: Andreas Longwitz User-Agent: Thunderbird 2.0.0.19 (X11/20090113) MIME-Version: 1.0 To: freebsd-stable@freebsd.org Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 8bit Subject: Re: Support for IPSec NAT-T in transoprt mode X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 24 Apr 2012 20:10:10 -0000 I run FreeBSD 8.2, ipsec-tools-0.8.0_2 and mpd-5.5. To get NATed VPN clients working through L2TP/IPSec I use the patches given in kern/146190 for the files esp_var.h, ipsec.c, ipsec_input.c (only the "Ignore checksum" part) and xform_esp.c. Further the following patch: --- key.c.1st 2011-09-29 10:39:44.000000000 +0200 +++ key.c 2012-04-24 21:40:55.000000000 +0200 @@ -1312,11 +1312,14 @@ continue; if (key_cmpspidx_exactly(spidx, &sp->spidx)) { SP_ADDREF(sp); - break; + SPTREE_UNLOCK(); + goto found; } } SPTREE_UNLOCK(); + return NULL; + found: return sp; } @@ -2967,11 +2970,15 @@ LIST_FOREACH(sah, &V_sahtree, chain) { if (sah->state == SADB_SASTATE_DEAD) continue; - if (key_cmpsaidx(&sah->saidx, saidx, CMP_REQID)) - break; + if (key_cmpsaidx(&sah->saidx, saidx, CMP_REQID)) { + SAHTREE_UNLOCK(); + goto found; + } } SAHTREE_UNLOCK(); + return NULL; + found: return sah; } @@ -4064,10 +4071,12 @@ /* * If NAT-T is enabled, check ports for tunnel mode. * Do not check ports if they are set to zero in the SPD. - * Also do not do it for transport mode, as there is no + * Also do not do it for native transport mode, as there is no * port information available in the SP. */ - if (saidx1->mode == IPSEC_MODE_TUNNEL && + if ((saidx1->mode == IPSEC_MODE_TUNNEL || + (saidx1->mode == IPSEC_MODE_TRANSPORT && + saidx1->proto == IPPROTO_ESP)) && saidx1->src.sa.sa_family == AF_INET && saidx1->dst.sa.sa_family == AF_INET && Then a NATed FreeBSD or Android client works fine with L2TP/IPSec (PSK or certificate), also every iPhone with L2TP/IPSec (PSK). I don't know if we can handle the server side of Cisco IPSEC used by Apple for certificates on the iphone. Hints are very welcome. There is one limitation I would like to get over. From man 8 setkey: System that do not perform the port check cannot support multiple endpoints behind the same NAT. I think this is a FreeBSD kernel restriction: For the first incoming L2TP packet the IPSEC part of the kernel does not save the source port in the corresponding SA (maybe a field like natt_l2tp_port). So the kernel does for outgoing L2TP packets not know the correct SA, if two ore more SA's with the same IP exists. I would like to know if the patch mentioned in this thread adresses this problem. -- Dr. Andreas Longwitz Data Service GmbH Beethovenstr. 2A 23617 Stockelsdorf Amtsgericht Lübeck, HRB 318 BS Geschäftsführer: Wilfried Paepcke, Dr. Andreas Longwitz, Josef Flatau