Date: Mon, 20 Sep 2010 21:03:00 +0530 From: ashish@FreeBSD.org (Ashish SHUKLA) To: freebsd-net@FreeBSD.org Subject: IPsec + L2TP using racoon + mpd5 Message-ID: <86ocbs5t1v.fsf@chateau.d.if>
next in thread | raw e-mail | index | archive | help
--=-=-=
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Hi everyone,
Few weeks ago, I posted the problem of unable to use IPsec behind
NAT[1]. Thanks to the code in ipsec-tools CVS HEAD, IPSEC_NAT_T kernel opti=
on
and mpd5, I was able to use it, on the router and behind NAT without any
issues.
Few days ago, I lost the "behind NAT" configuration of this combo, and forg=
ot
to take backups :(. So, at present I can only use this combo without any
issues on router, but when inside NAT, it fails. This is the same box which
sometimes is used as router, and sometimes gets NATed.
When behind NAT, I can see that IPsec tunnel gets created, and I can see IP=
sec
ESP traffic flowing in/out over UDP port 4500. But L2TP tunnel never gets
realized, whereas when on router with this same mpd5 configuration, L2TP
tunnel gets created, just fine.
The server is running racoon + OpenL2TP on GNU/Linux using NETKEY
implementation. The other clients in the network including a GNU/Linux box =
and
a Windows box are able to connect to this L2TP/IPSec tunnel just fine, behi=
nd
NAT.
I'm wondering if anyone knows what I might be missing in the configurations
posted below:
1. racoon configuration.
#v+
# racoon-nat.conf
path certificate "/home/abbe/ipsec/ca";
log info;
listen {
adminsock "/var/db/racoon/racoon.sock" "root" "operator" 0660;
}
remote XXX.XXX.XXX.XXX {
exchange_mode main;
my_identifier asn1dn;
certificate_type x509 "user.pem" "user.key";
proposal_check obey;
verify_identifier on;
verify_cert on;
script "/home/user/ipsec/tunnel-up.sh" phase1_up;
script "/home/user/ipsec/tunnel-down.sh" phase1_down;
nat_traversal on;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig;
dh_group modp1024;
}
}
sainfo anonymous {
lifetime time 28800 sec;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
#v-
2. racoon tunnel-up script
#v+
#!/bin/sh
# tunnel-up.sh
/sbin/setkey -c <<EOF
flush;
spdflush;
# Make sure L2TP traffic goes over IPsec
spdadd ${LOCAL_ADDR}[0] ${REMOTE_ADDR}[1701] any
-P out ipsec esp/transport//require ;
=20
spdadd ${REMOTE_ADDR}[1701] ${LOCAL_ADDR}[0] any
-P in ipsec esp/transport//require ;
=20
# Required for NAT
spdadd ${LOCAL_ADDR}[0] ${REMOTE_ADDR}[4500] any
-P out ipsec esp/transport//require ;
=20
spdadd ${REMOTE_ADDR}[4500] ${LOCAL_ADDR}[0] any
-P in ipsec esp/transport//require ;
# Required for non-NAT
spdadd ${LOCAL_ADDR}[500] ${REMOTE_ADDR}[500] any
-P out ipsec esp/transport//require ;
=20
spdadd ${REMOTE_ADDR}[500] ${LOCAL_ADDR}[500] any
-P in ipsec esp/transport//require ;
EOF
exit 0
#v-
3. mpd5 script
#v+
default:
load l2tp
l2tp:
create bundle static l2tp
create link static L2 l2tp
set link action bundle l2tp
set link keep-alive 10 60
set link mtu 1460
set l2tp peer XXX.XXX.XXX.XXX
set auth authname user
set link max-redial 0
open
#v-
References:
[1] http://www.mail-archive.com/freebsd-net@freebsd.org/msg34087.html
Thanks in advance.
=2D-=20
Ashish SHUKLA | GPG: F682 CDCC 39DC 0FEA E116 20B6 C746 CFA9 E74F A4B0
freebsd.org!ashish | http://people.freebsd.org/~ashish/
Avoid Success At All Costs !!
--=-=-=
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (FreeBSD)
iQIcBAEBCgAGBQJMl36wAAoJEMdGz6nnT6SwZuEQAKxdpwuUePOhE9uJhVnYCv+G
etjb/d1fF4LIJyEUNT2vu62jKW/OBjo2cYD5YpYIbCwOt0bFcPNXFJteRVvK5wSD
PQHIF+mCLPMSFvZHgFRloFrBOJiTxHDSLktLw53SJQVMbKRiboj9X/fqjUrnsYvC
hOm1gc+kUaBxcElotY3Uy7oGY1ncwWzfLmiytJc63vJwrAOE/mHAaSRKBv07bGI1
p4bBzEVObsY6r/uFHxxLDQqSle424Z/R+5rIc8HK0aJFprBW3BNhN4HI33DRCPUc
b5koy5P9tSumTdBK+9mUCE0GttqPtQ32/ixhXi9lJtvyDrOWAtcrDaxCKZ657bnl
KF2luSxv+mC6YcCB3V0EyeKJCRpXWnbgcf96HawLxJZZRI0/Gscc60GPZvpOQgs+
qgdRLv7dAzGJB5tWQM+hOD3tYMKeRiJdCNbjmQJWtpw9hyq58mCEbbeGPWHUMRp0
boRkDjlMIzo37HShs7IyuObGp2YgfLEtfompuq3aY77R6vvY77AotE1L13p9hzk7
X1bdBcDtoUaJ3zTbfn8JVmDoATccBhFS7Tg3GjvVgwYNccsFo47SxKk5YqVQ7bRe
WWS2+35Wx+SjHSPmotDBrxDwumBUBig7g58N9LRS2Yp6KJLb+qRtk6U9O9VZR2qe
uleH5q3zbdoVOBx+jqn4
=s7aL
-----END PGP SIGNATURE-----
--=-=-=--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86ocbs5t1v.fsf>