Problem with NAT-T/NAT-D on isakmpd?

Fri, 27 May 2005 15:35:30 -0700

It appears that isakmpd from a May 17 snapshop is failing to recognize valid NAT-D payloads and/or recognizing that both sides are NAT'ed. isakmpd seems to have this problem with any client that supports RFC 3947. 

snippet from IKE packet capture:
14:30:59.851139 216.27.182.172.64878 > 69.33.227.66.500: [udp sum ok] isakmp v1.0 
exchange ID_PROT
        cookie: efab88cbb3abc0c8->9a44c4998d25f3eb msgid: 00000000 len: 228
        payload: KEY_EXCH len: 132
        payload: NONCE len: 20
        payload: <unknown> len: 24
        payload: <unknown> len: 24 [ttl 0] (id 1, len 256)

Here are payloads from my strongSWAN linux client:
May 27 14:30:59 localhost sudo: sean : TTY=pts/0 ; PWD=/home/sean/strongswan-2.4.1 ; USER=root ; COMMAND=/usr/local/sbin/ipsec auto --up sec 
May 27 14:30:59 localhost pluto[4766]: "sec" #11: initiating Main Mode
May 27 14:30:59 localhost pluto[4766]: "sec" #11: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] May 27 14:30:59 localhost pluto[4766]: "sec" #11: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] May 27 14:30:59 localhost pluto[4766]: "sec" #11: received Vendor ID payload [RFC 3947] May 27 14:30:59 localhost pluto[4766]: "sec" #11: received Vendor ID payload [Dead Peer Detection] May 27 14:30:59 localhost pluto[4766]: "sec" #11: enabling possible NAT-traversal with method 3 May 27 14:31:00 localhost pluto[4766]: packet from 69.33.227.66:500: ignoring informational payload, type INVALID_PAYLOAD_TYPE
isakmpd supports RFC 3947 and sends that RFC vendor id to the clients requesting to use it. The clients I've tried (openswan 2.3.1, strongswan 2.4.1, VPN Tracker 4) all send a payload ID of 20 which is correct, yet isakmpd says these payloads are unknown. When using VPN Tracker, isakmpd actually sends back NAT-D payloads that are 130 per draft-03 and draft-00 instead of using RFC 3947. A quick glance at nat_traversal.c shows that it adds the NAT-D payload and always uses ISAKMP_PAYLOAD_NAT_D_DRAFT. In message.c, I only saw that payload ID defined.
I have a plethora of other logs should they be needed. Any insight on this would be appreciated. Thanks. 

sk

Reply via email to