Follow on: I investigated another case:
Same as in the previous case, 5.2 switches to port 4500 alfter the NAD-D packets are exchanged and the tries to negotiate ENCAPSULATION MODE = TUNNEL ( tcpdump show, that this QUICK MODE packet is udp encapsulated. This is rejected with NO PROPOSAL CHOSEN. I reactivated the 4.6 version: Here, openBSD 4.6 does NOT switch to port 4500 after the NAT-D exchange. The connect gets established file. This could mean: 1. obsd 5.2 switches to udp encapsulation, as soon as it detects that the peer is able to handle this ( and not because a NAT device is positively detected ). I do not know if this is conformant to the rfcs in question. Anyway it seems, that some peers in this case exec ENCAPSULATION_MODE=UDP_ENCAP_TUNNEL instead of plain TUNNEL. Or 2. obsd 5.2 switches to upd encapsulation as it detects a NAT device where there is no NAT device. ( Some problem as in case 1 with ENCAPSULATION_MODE ) Or 3. obsd 4.6 does not recognise the NAT device and the connection works anyway because the NAT device is "ISAKMP aware" Could anybody please shed some light on what is the expected behavior? Has anybody seen similar problems? -----Ursprüngliche Nachricht----- Von: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] Im Auftrag von Christoph Leser Gesendet: Samstag, 15. September 2012 15:51 An: misc@openbsd.org Betreff: isakmpd nat problem with openBSD 5.2 After I upgraded from openBSD 4.6 to 5.2 I have the following problem with isakmpd+nat when the remote side is behind a NAT gateway: openBSD Phase 1 recognizes NAT and switches to port 4500 to send the ID information. openBSD Phase 2 then tries to negotiate TUNNEL mode, but the remote side rejects this with 'no proposal chosen'. The remote side's log says something like 'expected 'UDP Encapsulated TUNNEL', got 'TUNNEL' I believe that I never saw 'UDP_ENCAP_TUNNEL' in tcpdump of isakmpd.pcap where I was on 4.6. Why did it work with 4.6 and not with 5.2? Best Regards / Mit freundlichen Gr??en Christoph
