From owner-freebsd-net@FreeBSD.ORG Sun Sep 24 14:54:02 2006 Return-Path: X-Original-To: freebsd-net@FreeBSD.org Delivered-To: freebsd-net@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B18E16A403 for ; Sun, 24 Sep 2006 14:54:02 +0000 (UTC) (envelope-from nork@FreeBSD.org) Received: from sakura.ninth-nine.com (sakura.ninth-nine.com [219.127.74.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id CE80743D53 for ; Sun, 24 Sep 2006 14:54:01 +0000 (GMT) (envelope-from nork@FreeBSD.org) Received: from mail.ninth-nine.com ([IPv6:2001:3e0:4cf:1:d2:ff:fe23:1b4]) (authenticated bits=0) by sakura.ninth-nine.com (8.13.6/8.13.6/NinthNine) with ESMTP id k8OErsmT055889 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 24 Sep 2006 23:54:00 +0900 (JST) (envelope-from nork@FreeBSD.org) Date: Sun, 24 Sep 2006 23:53:53 +0900 From: Norikatsu Shigemura To: Larry Baird Message-Id: <20060924235353.3adaa23d.nork@FreeBSD.org> In-Reply-To: <20060914093034.A83805@gta.com> References: <20060914093034.A83805@gta.com> X-Mailer: Sylpheed version 2.2.7 (GTK+ 2.8.20; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by milter-greylist-2.0.2 (sakura.ninth-nine.com [IPv6:2001:3e0:4cf:0:230:48ff:fe41:2455]); Sun, 24 Sep 2006 23:54:00 +0900 (JST) Cc: freebsd-net@FreeBSD.org Subject: Re: FAST_IPSEC NAT-T support X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Sep 2006 14:54:02 -0000 On Thu, 14 Sep 2006 09:30:34 -0400 Larry Baird wrote: > Please find attached two patches for adding FAST_IPSEC NAT-T support to > FreeBSD 6.x. The patch "freebsd6-fastipsec-natt.diff" is dependent > upon Yvan's IPSEC NAT-T patch "freebsd6-natt.diff" which can be found at > http://ipsec-tools.cvs.sourceforge.net/ipsec-tools/htdocs/. The second > patch "freebsd6-ipsec-fastipsec-natt.diff" is a cumulative patch > combining both patches together. Thanks for your great works! I'm testing IPSec NAT-T BETWEEN 6.2-PRERELEASE with freebsd6- ipsec-fastipsec-natt.diff + nokey.diff AND Windows XP like following environment: The Internet -------------+----------------------------------+--------------- | ipfw but throw | no firewall | | no ipfw | | WAN | 219.127.74.120 WAN | A.A.A.A +------------+-------------+ +--------------+--------------+ | FreeBSD 4-stable NAT BOX | |FreeBSD 6-stable IPSec Router| +------------+-------------+ +-----------------------------+ LAN | 192.168.36.1 | | 192.168.36.6 +------------+-------------+ | Windows XP Professional | +--------------------------+ kernel configuration: options FAST_IPSEC options IPSEC_NAT_T And already make buildworld buildkernel && make installworld installkernel && shutdown -r now # uname -a FreeBSD AAAA 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #54: Sun Sep 24 22:41:00 JST 2006 root@AAAA:/usr/obj/usr/src/sys/AAAA i386 # pkg_info | grep ipsec ipsec-tools-0.6.6 KAME racoon IKE daemon, ipsec-tools version (some customized version:-) # cat /var/db/ports/ipsec-tools/options # This file is auto-generated by 'make config'. # No user-servicable parts inside! # Options for ipsec-tools-0.6.6 _OPTIONS_READ=ipsec-tools-0.6.6 WITHOUT_DEBUG=true WITH_IPV6=true WITH_ADMINPORT=true WITH_STATS=true WITH_DPD=true WITH_NATT=true WITH_FRAG=true WITHOUT_HYBRID=true WITHOUT_PAM=true WITHOUT_GSSAPI=true WITHOUT_RADIUS=true WITHOUT_SAUNSPEC=true WITHOUT_RC5=true WITHOUT_IDEA=true I couldn't dial-up VPN from Windows XP by some reason. And I don't know what's happen:-(. Please teach me a hint! 1. Windows XP didn't provide any identifier. racoon will handle only REMOTE-IP. But Windows machines cannot dial-up VPN anywhere:-(. So I make a quite ad-hoc patch. Do you have any idea? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --- src/racoon/oakley.c.orig Tue Oct 4 18:54:27 2005 +++ src/racoon/oakley.c Sun Sep 24 18:45:33 2006 @@ -2383,8 +2383,11 @@ */ iph1->authstr = getpskbyaddr(iph1->remote); if (iph1->authstr == NULL) { + iph1->authstr = privsep_getpsk("(*dialup*)", 10); + } + if (iph1->authstr == NULL) { plog(LLV_ERROR, LOCATION, iph1->remote, - "couldn't find the pskey for %s.\n", + "couldn't find the pskey for %s or '(*dialup*)'.\n", saddrwop2str(iph1->remote)); goto end; } - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2. main mode with pre-shared key doesn't handle FQDN. I don't know why Windows XP provides IPSECDOI_ID_FQDN. But ipsecdoi_checkid1 in ipsec_doi.c doesn't complete:-(. So I make a ad-hoc patch:-(. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - --- src/racoon/ipsec_doi.c.orig Thu Feb 2 23:37:17 2006 +++ src/racoon/ipsec_doi.c Sun Sep 24 23:28:42 2006 @@ -3277,10 +3277,9 @@ iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_PSKEY) { if (id_b->type != IPSECDOI_ID_IPV4_ADDR && id_b->type != IPSECDOI_ID_IPV6_ADDR) { - plog(LLV_ERROR, LOCATION, NULL, + plog(LLV_WARNING, LOCATION, NULL, "Expecting IP address type in main mode, " "but %s.\n", s_ipsecdoi_ident(id_b->type)); - return ISAKMP_NTYPE_INVALID_ID_INFORMATION; } } - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3. I don't know why no communication between FreeBSD and Windows. Between 23:02:18 and 23:02:53, Windows XP re-sent some packets. But FreeBSD didn't response them. So Windows XP gave up. /var/log/racoon.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Sep 24 22:59:42 AAAA racoon: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net) Sep 24 22:59:42 AAAA racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/) Sep 24 22:59:42 AAAA racoon: INFO: A.A.A.A[4500] used as isakmp port (fd=8) Sep 24 22:59:42 AAAA racoon: INFO: A.A.A.A[4500] used for NAT-T Sep 24 22:59:42 AAAA racoon: INFO: A.A.A.A[500] used as isakmp port (fd=9) Sep 24 22:59:42 AAAA racoon: INFO: A.A.A.A[500] used for NAT-T Sep 24 23:02:18 AAAA racoon: INFO: respond new phase 1 negotiation: A.A.A.A[500]<=>219.127.74.120[500] Sep 24 23:02:18 AAAA racoon: INFO: begin Identity Protection mode. Sep 24 23:02:18 AAAA racoon: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY Sep 24 23:02:18 AAAA racoon: INFO: received Vendor ID: FRAGMENTATION Sep 24 23:02:18 AAAA racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Sep 24 23:02:18 AAAA racoon: INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02 Sep 24 23:02:18 AAAA racoon: phase1(ident R msg1): 0.001648 Sep 24 23:02:18 AAAA racoon: INFO: Hashing A.A.A.A[500] with algo #2 Sep 24 23:02:18 AAAA racoon: INFO: NAT-D payload #0 verified Sep 24 23:02:18 AAAA racoon: INFO: Hashing 219.127.74.120[500] with algo #2 Sep 24 23:02:18 AAAA racoon: INFO: NAT-D payload #1 doesn't match Sep 24 23:02:18 AAAA racoon: INFO: NAT detected: PEER Sep 24 23:02:18 AAAA racoon: oakley_dh_generate(MODP1024): 0.016724 Sep 24 23:02:18 AAAA racoon: INFO: Hashing 219.127.74.120[500] with algo #2 Sep 24 23:02:18 AAAA racoon: INFO: Hashing A.A.A.A[500] with algo #2 Sep 24 23:02:18 AAAA racoon: INFO: Adding remote and local NAT-D payloads. Sep 24 23:02:18 AAAA racoon: oakley_dh_compute(MODP1024): 0.019675 Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=36): 0.000079 Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=145): 0.000020 Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=165): 0.000019 Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=165): 0.000019 Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=1): 0.000017 Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=20): 0.000017 Sep 24 23:02:18 AAAA racoon: phase1(ident R msg2): 0.044966 Sep 24 23:02:18 AAAA racoon: INFO: NAT-T: ports changed to: 219.127.74.120[4500]<->A.A.A.A[4500] Sep 24 23:02:18 AAAA racoon: INFO: KA list add: A.A.A.A[4500]->219.127.74.120[4500] Sep 24 23:02:18 AAAA racoon: alg_oakley_encdef_decrypt(3des klen=192 size=40): 0.000114 Sep 24 23:02:18 AAAA racoon: WARNING: Expecting IP address type in main mode, but FQDN. Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=479): 0.000039 Sep 24 23:02:18 AAAA racoon: oakley_validate_auth(pre-shared key): 0.000094 Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=476): 0.000025 Sep 24 23:02:18 AAAA racoon: alg_oakley_encdef_encrypt(3des klen=192 size=40): 0.000018 Sep 24 23:02:18 AAAA racoon: phase1(ident R msg3): 0.000617 Sep 24 23:02:18 AAAA racoon: phase1(Identity Protection): 0.187999 Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=32): 0.000017 Sep 24 23:02:18 AAAA racoon: alg_oakley_encdef_encrypt(3des klen=192 size=56): 0.000020 Sep 24 23:02:18 AAAA racoon: INFO: ISAKMP-SA established A.A.A.A[4500]-219.127.74.120[4500] spi:fbb6e583624f6f16:dff5c9f16fb555d6 Sep 24 23:02:18 AAAA racoon: INFO: respond new phase 2 negotiation: A.A.A.A[4500]<=>219.127.74.120[4500] Sep 24 23:02:18 AAAA racoon: alg_oakley_encdef_decrypt(3des klen=192 size=272): 0.000047 Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=251): 0.000027 Sep 24 23:02:18 AAAA racoon: INFO: no policy found, try to generate the policy : 219.127.74.120/32[4500] A.A.A.A/32[1701] proto=udp dir=in Sep 24 23:02:18 AAAA racoon: INFO: Adjusting my encmode UDP-Transport->Transport Sep 24 23:02:18 AAAA racoon: INFO: Adjusting peer's encmode UDP-Transport(61444)->Transport(2) Sep 24 23:02:18 AAAA racoon: WARNING: trns_id mismatched: my:AES peer:3DES Sep 24 23:02:18 AAAA last message repeated 2 times Sep 24 23:02:18 AAAA racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES Sep 24 23:02:18 AAAA last message repeated 2 times Sep 24 23:02:18 AAAA racoon: WARNING: trns_id mismatched: my:CAST peer:3DES Sep 24 23:02:18 AAAA last message repeated 2 times Sep 24 23:02:18 AAAA racoon: WARNING: authtype mismatched: my:hmac-sha256 peer:hmac-md5 Sep 24 23:02:18 AAAA racoon: WARNING: authtype mismatched: my:hmac-sha peer:hmac-md5 Sep 24 23:02:18 AAAA racoon: phase2(???): 0.000984 Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=135): 0.000019 Sep 24 23:02:18 AAAA racoon: alg_oakley_encdef_encrypt(3des klen=192 size=136): 0.000039 Sep 24 23:02:18 AAAA racoon: phase2(quick R msg1): 0.006437 Sep 24 23:02:18 AAAA racoon: alg_oakley_encdef_decrypt(3des klen=192 size=24): 0.000032 Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=41): 0.000031 Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=41): 0.000017 Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=61): 0.000018 Sep 24 23:02:18 AAAA last message repeated 2 times Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=41): 0.000016 Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=61): 0.000017 Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=61): 0.000017 Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=61): 0.000018 Sep 24 23:02:18 AAAA racoon: phase2(???): 0.000755 Sep 24 23:02:18 AAAA racoon: INFO: IPsec-SA established: ESP/Transport 219.127.74.120[4500]->A.A.A.A[4500] spi=74428117(0x46faed5) Sep 24 23:02:18 AAAA racoon: phase2(quick): 1159106538.353179 Sep 24 23:02:18 AAAA racoon: INFO: IPsec-SA established: ESP/Transport A.A.A.A[4500]->219.127.74.120[4500] spi=106731081(0x65c9649) Sep 24 23:02:18 AAAA racoon: ERROR: such policy does not already exist: "219.127.74.120/32[4500] A.A.A.A/32[1701] proto=udp dir=in" Sep 24 23:02:18 AAAA racoon: ERROR: such policy does not already exist: "A.A.A.A/32[1701] 219.127.74.120/32[4500] proto=udp dir=out" (sleep about 45sec) Sep 24 23:02:53 AAAA racoon: alg_oakley_encdef_decrypt(3des klen=192 size=40): 0.000041 Sep 24 23:02:53 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=20): 0.000029 Sep 24 23:02:53 AAAA racoon: INFO: generated policy, deleting it. Sep 24 23:02:53 AAAA racoon: INFO: purged IPsec-SA proto_id=ESP spi=106731081. Sep 24 23:02:53 AAAA racoon: ERROR: pfkey X_SPDDELETE failed: Invalid argument Sep 24 23:02:53 AAAA racoon: ERROR: pfkey X_SPDDELETE failed: Invalid argument Sep 24 23:02:53 AAAA racoon: alg_oakley_encdef_decrypt(3des klen=192 size=56): 0.000034 Sep 24 23:02:53 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=32): 0.000023 Sep 24 23:02:53 AAAA racoon: INFO: purging ISAKMP-SA spi=fbb6e583624f6f16:dff5c9f16fb555d6. Sep 24 23:02:53 AAAA racoon: INFO: purged IPsec-SA spi=74428117. Sep 24 23:02:53 AAAA racoon: INFO: purged ISAKMP-SA spi=fbb6e583624f6f16:dff5c9f16fb555d6. Sep 24 23:02:54 AAAA racoon: INFO: ISAKMP-SA deleted A.A.A.A[4500]-219.127.74.120[4500] spi:fbb6e583624f6f16:dff5c9f16fb555d6 Sep 24 23:02:54 AAAA racoon: INFO: KA remove: A.A.A.A[4500]->219.127.74.120[4500] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - my racoon.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - path pre_shared_key "/usr/local/etc/racoon/psk.txt"; listen { isakmp A.A.A.A[500]; isakmp_natt A.A.A.A[4500]; } timer { natt_keepalive 10 sec; } remote anonymous { exchange_mode main; nat_traversal on; generate_policy on; proposal_check obey; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group modp1024; } } sainfo anonymous { pfs_group modp1024; lifetime time 28800 sec; encryption_algorithm aes,blowfish,cast128,3des; authentication_algorithm hmac_sha256,hmac_sha1,hmac_md5; compression_algorithm deflate; } - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -