On Thu, 14 Sep 2006 09:30:34 -0400
Larry Baird <[EMAIL PROTECTED]> wrote:
> Please find attached two patches for adding FAST_IPSEC NAT-T support to
> FreeBSD 6.x.  The patch "freebsd6-fastipsec-natt.diff" is dependent
> upon Yvan's IPSEC NAT-T patch "freebsd6-natt.diff" which can be found at
> http://ipsec-tools.cvs.sourceforge.net/ipsec-tools/htdocs/.  The second
> patch "freebsd6-ipsec-fastipsec-natt.diff" is a cumulative patch
> combining both patches together.  

        Thanks for your great works!

        I'm testing IPSec NAT-T BETWEEN 6.2-PRERELEASE with freebsd6-
        ipsec-fastipsec-natt.diff + nokey.diff  AND  Windows XP like
        following environment:


                             The Internet
    -------------+----------------------------------+---------------
                 | ipfw but throw                   | no firewall
                 |                                  | no ipfw
                 |                                  |
            WAN  | 219.127.74.120              WAN  | A.A.A.A
    +------------+-------------+     +--------------+--------------+
    | FreeBSD 4-stable NAT BOX |     |FreeBSD 6-stable IPSec Router|
    +------------+-------------+     +-----------------------------+
            LAN  | 192.168.36.1
                 |
                 | 192.168.36.6
    +------------+-------------+
    | Windows XP  Professional |
    +--------------------------+

kernel configuration:
options         FAST_IPSEC
options         IPSEC_NAT_T

And already
  make buildworld buildkernel && make installworld installkernel && shutdown -r 
now

# uname -a
FreeBSD AAAA 6.2-PRERELEASE FreeBSD 6.2-PRERELEASE #54: Sun Sep 24 22:41:00 JST 
2006     [EMAIL PROTECTED]:/usr/obj/usr/src/sys/AAAA  i386

# pkg_info | grep ipsec
ipsec-tools-0.6.6   KAME racoon IKE daemon, ipsec-tools version
        (some customized version:-)

# cat /var/db/ports/ipsec-tools/options
# This file is auto-generated by 'make config'.
# No user-servicable parts inside!
# Options for ipsec-tools-0.6.6
_OPTIONS_READ=ipsec-tools-0.6.6
WITHOUT_DEBUG=true
WITH_IPV6=true
WITH_ADMINPORT=true
WITH_STATS=true
WITH_DPD=true
WITH_NATT=true
WITH_FRAG=true
WITHOUT_HYBRID=true
WITHOUT_PAM=true
WITHOUT_GSSAPI=true
WITHOUT_RADIUS=true
WITHOUT_SAUNSPEC=true
WITHOUT_RC5=true
WITHOUT_IDEA=true



        I couldn't dial-up VPN from Windows XP by some reason.  And I
        don't know what's happen:-(.  Please teach me a hint!

        1. Windows XP didn't provide any identifier.
           racoon will handle only REMOTE-IP.  But Windows machines
           cannot dial-up VPN anywhere:-(.  So I make a quite ad-hoc
           patch.  Do you have any idea?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
--- src/racoon/oakley.c.orig    Tue Oct  4 18:54:27 2005
+++ src/racoon/oakley.c Sun Sep 24 18:45:33 2006
@@ -2383,8 +2383,11 @@
                         */
                        iph1->authstr = getpskbyaddr(iph1->remote);
                        if (iph1->authstr == NULL) {
+                               iph1->authstr = privsep_getpsk("(*dialup*)", 
10);
+                       }
+                       if (iph1->authstr == NULL) {
                                plog(LLV_ERROR, LOCATION, iph1->remote,
-                                       "couldn't find the pskey for %s.\n",
+                                       "couldn't find the pskey for %s or 
'(*dialup*)'.\n",
                                        saddrwop2str(iph1->remote));
                                goto end;
                        }
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


        2. main mode with pre-shared key doesn't handle FQDN.
           I don't know why Windows XP provides IPSECDOI_ID_FQDN.  But
           ipsecdoi_checkid1 in ipsec_doi.c doesn't complete:-(.  So
           I make a ad-hoc patch:-(.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
--- src/racoon/ipsec_doi.c.orig Thu Feb  2 23:37:17 2006
+++ src/racoon/ipsec_doi.c      Sun Sep 24 23:28:42 2006
@@ -3277,10 +3277,9 @@
            iph1->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_PSKEY) {
                 if (id_b->type != IPSECDOI_ID_IPV4_ADDR
                  && id_b->type != IPSECDOI_ID_IPV6_ADDR) {
-                       plog(LLV_ERROR, LOCATION, NULL,
+                       plog(LLV_WARNING, LOCATION, NULL,
                                "Expecting IP address type in main mode, "
                                "but %s.\n", s_ipsecdoi_ident(id_b->type));
-                       return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
                }
        }

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

        3. I don't know why no communication between FreeBSD and Windows.
           Between 23:02:18 and 23:02:53, Windows XP re-sent some packets.
           But FreeBSD didn't response them.  So Windows XP gave up.


/var/log/racoon.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sep 24 22:59:42 AAAA racoon: INFO: @(#)ipsec-tools 0.6.6 
(http://ipsec-tools.sourceforge.net)
Sep 24 22:59:42 AAAA racoon: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 
Oct 2004 (http://www.openssl.org/)
Sep 24 22:59:42 AAAA racoon: INFO: A.A.A.A[4500] used as isakmp port (fd=8)
Sep 24 22:59:42 AAAA racoon: INFO: A.A.A.A[4500] used for NAT-T
Sep 24 22:59:42 AAAA racoon: INFO: A.A.A.A[500] used as isakmp port (fd=9)
Sep 24 22:59:42 AAAA racoon: INFO: A.A.A.A[500] used for NAT-T
Sep 24 23:02:18 AAAA racoon: INFO: respond new phase 1 negotiation: 
A.A.A.A[500]<=>219.127.74.120[500]
Sep 24 23:02:18 AAAA racoon: INFO: begin Identity Protection mode.
Sep 24 23:02:18 AAAA racoon: INFO: received broken Microsoft ID: MS NT5 
ISAKMPOAKLEY
Sep 24 23:02:18 AAAA racoon: INFO: received Vendor ID: FRAGMENTATION
Sep 24 23:02:18 AAAA racoon: INFO: received Vendor ID: 
draft-ietf-ipsec-nat-t-ike-02 
Sep 24 23:02:18 AAAA racoon: INFO: Selected NAT-T version: 
draft-ietf-ipsec-nat-t-ike-02 
Sep 24 23:02:18 AAAA racoon: phase1(ident R msg1): 0.001648
Sep 24 23:02:18 AAAA racoon: INFO: Hashing A.A.A.A[500] with algo #2 
Sep 24 23:02:18 AAAA racoon: INFO: NAT-D payload #0 verified
Sep 24 23:02:18 AAAA racoon: INFO: Hashing 219.127.74.120[500] with algo #2 
Sep 24 23:02:18 AAAA racoon: INFO: NAT-D payload #1 doesn't match
Sep 24 23:02:18 AAAA racoon: INFO: NAT detected: PEER
Sep 24 23:02:18 AAAA racoon: oakley_dh_generate(MODP1024): 0.016724
Sep 24 23:02:18 AAAA racoon: INFO: Hashing 219.127.74.120[500] with algo #2 
Sep 24 23:02:18 AAAA racoon: INFO: Hashing A.A.A.A[500] with algo #2 
Sep 24 23:02:18 AAAA racoon: INFO: Adding remote and local NAT-D payloads.
Sep 24 23:02:18 AAAA racoon: oakley_dh_compute(MODP1024): 0.019675
Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=36): 0.000079
Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=145): 
0.000020
Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=165): 
0.000019
Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=165): 
0.000019
Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=1): 0.000017
Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=20): 0.000017
Sep 24 23:02:18 AAAA racoon: phase1(ident R msg2): 0.044966
Sep 24 23:02:18 AAAA racoon: INFO: NAT-T: ports changed to: 
219.127.74.120[4500]<->A.A.A.A[4500]
Sep 24 23:02:18 AAAA racoon: INFO: KA list add: 
A.A.A.A[4500]->219.127.74.120[4500]
Sep 24 23:02:18 AAAA racoon: alg_oakley_encdef_decrypt(3des klen=192 size=40): 
0.000114
Sep 24 23:02:18 AAAA racoon: WARNING: Expecting IP address type in main mode, 
but FQDN.
Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=479): 
0.000039
Sep 24 23:02:18 AAAA racoon: oakley_validate_auth(pre-shared key): 0.000094
Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=476): 
0.000025
Sep 24 23:02:18 AAAA racoon: alg_oakley_encdef_encrypt(3des klen=192 size=40): 
0.000018
Sep 24 23:02:18 AAAA racoon: phase1(ident R msg3): 0.000617
Sep 24 23:02:18 AAAA racoon: phase1(Identity Protection): 0.187999
Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=32): 0.000017
Sep 24 23:02:18 AAAA racoon: alg_oakley_encdef_encrypt(3des klen=192 size=56): 
0.000020
Sep 24 23:02:18 AAAA racoon: INFO: ISAKMP-SA established 
A.A.A.A[4500]-219.127.74.120[4500] spi:fbb6e583624f6f16:dff5c9f16fb555d6
Sep 24 23:02:18 AAAA racoon: INFO: respond new phase 2 negotiation: 
A.A.A.A[4500]<=>219.127.74.120[4500]
Sep 24 23:02:18 AAAA racoon: alg_oakley_encdef_decrypt(3des klen=192 size=272): 
0.000047
Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=251): 
0.000027
Sep 24 23:02:18 AAAA racoon: INFO: no policy found, try to generate the policy 
: 219.127.74.120/32[4500] A.A.A.A/32[1701] proto=udp dir=in
Sep 24 23:02:18 AAAA racoon: INFO: Adjusting my encmode UDP-Transport->Transport
Sep 24 23:02:18 AAAA racoon: INFO: Adjusting peer's encmode 
UDP-Transport(61444)->Transport(2)
Sep 24 23:02:18 AAAA racoon: WARNING: trns_id mismatched: my:AES peer:3DES
Sep 24 23:02:18 AAAA last message repeated 2 times
Sep 24 23:02:18 AAAA racoon: WARNING: trns_id mismatched: my:BLOWFISH peer:3DES
Sep 24 23:02:18 AAAA last message repeated 2 times
Sep 24 23:02:18 AAAA racoon: WARNING: trns_id mismatched: my:CAST peer:3DES
Sep 24 23:02:18 AAAA last message repeated 2 times
Sep 24 23:02:18 AAAA racoon: WARNING: authtype mismatched: my:hmac-sha256 
peer:hmac-md5
Sep 24 23:02:18 AAAA racoon: WARNING: authtype mismatched: my:hmac-sha 
peer:hmac-md5
Sep 24 23:02:18 AAAA racoon: phase2(???): 0.000984
Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=135): 
0.000019
Sep 24 23:02:18 AAAA racoon: alg_oakley_encdef_encrypt(3des klen=192 size=136): 
0.000039
Sep 24 23:02:18 AAAA racoon: phase2(quick R msg1): 0.006437
Sep 24 23:02:18 AAAA racoon: alg_oakley_encdef_decrypt(3des klen=192 size=24): 
0.000032
Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=41): 0.000031
Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=41): 0.000017
Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=61): 0.000018
Sep 24 23:02:18 AAAA last message repeated 2 times
Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=41): 0.000016
Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=61): 0.000017
Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=61): 0.000017
Sep 24 23:02:18 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=61): 0.000018
Sep 24 23:02:18 AAAA racoon: phase2(???): 0.000755
Sep 24 23:02:18 AAAA racoon: INFO: IPsec-SA established: ESP/Transport 
219.127.74.120[4500]->A.A.A.A[4500] spi=74428117(0x46faed5)
Sep 24 23:02:18 AAAA racoon: phase2(quick): 1159106538.353179
Sep 24 23:02:18 AAAA racoon: INFO: IPsec-SA established: ESP/Transport 
A.A.A.A[4500]->219.127.74.120[4500] spi=106731081(0x65c9649)
Sep 24 23:02:18 AAAA racoon: ERROR: such policy does not already exist: 
"219.127.74.120/32[4500] A.A.A.A/32[1701] proto=udp dir=in"
Sep 24 23:02:18 AAAA racoon: ERROR: such policy does not already exist: 
"A.A.A.A/32[1701] 219.127.74.120/32[4500] proto=udp dir=out"

        (sleep about 45sec)

Sep 24 23:02:53 AAAA racoon: alg_oakley_encdef_decrypt(3des klen=192 size=40): 
0.000041
Sep 24 23:02:53 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=20): 0.000029
Sep 24 23:02:53 AAAA racoon: INFO: generated policy, deleting it.
Sep 24 23:02:53 AAAA racoon: INFO: purged IPsec-SA proto_id=ESP spi=106731081.
Sep 24 23:02:53 AAAA racoon: ERROR: pfkey X_SPDDELETE failed: Invalid argument
Sep 24 23:02:53 AAAA racoon: ERROR: pfkey X_SPDDELETE failed: Invalid argument
Sep 24 23:02:53 AAAA racoon: alg_oakley_encdef_decrypt(3des klen=192 size=56): 
0.000034
Sep 24 23:02:53 AAAA racoon: alg_oakley_hmacdef_one(hmac_sha1 size=32): 0.000023
Sep 24 23:02:53 AAAA racoon: INFO: purging ISAKMP-SA 
spi=fbb6e583624f6f16:dff5c9f16fb555d6.
Sep 24 23:02:53 AAAA racoon: INFO: purged IPsec-SA spi=74428117.
Sep 24 23:02:53 AAAA racoon: INFO: purged ISAKMP-SA 
spi=fbb6e583624f6f16:dff5c9f16fb555d6.
Sep 24 23:02:54 AAAA racoon: INFO: ISAKMP-SA deleted 
A.A.A.A[4500]-219.127.74.120[4500] spi:fbb6e583624f6f16:dff5c9f16fb555d6
Sep 24 23:02:54 AAAA racoon: INFO: KA remove: 
A.A.A.A[4500]->219.127.74.120[4500]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

        my racoon.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
path pre_shared_key "/usr/local/etc/racoon/psk.txt";

listen
{
        isakmp A.A.A.A[500];
        isakmp_natt A.A.A.A[4500];
}

timer
{
        natt_keepalive 10 sec;
}

remote anonymous
{
        exchange_mode           main;
        nat_traversal           on;

        generate_policy         on;
        proposal_check          obey;

        proposal {
                encryption_algorithm    3des;
                hash_algorithm          sha1;
                authentication_method   pre_shared_key;
                dh_group                modp1024;
        }
}

sainfo anonymous
{
        pfs_group                       modp1024;
        lifetime time                   28800 sec;
        encryption_algorithm            aes,blowfish,cast128,3des;
        authentication_algorithm        hmac_sha256,hmac_sha1,hmac_md5;
        compression_algorithm           deflate;
}
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
_______________________________________________
freebsd-net@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to