ESP and nat-traversal
ESP and nat-traversal
- Subject: ESP and nat-traversal
- From: Serge Cohen <email@hidden>
- Date: Sat, 20 Jun 2009 22:00:27 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi list,
I'm new here, so I hope that I got it correctly that this is the
mailing list to ask the following question :
Context :
I'm maintaining an OpenBSD server serving VPN for "road-
warriors" (clients with itinerant adresses), some clients being MacOS
10.5 running macs. I'm trying to support IPSEC/L2TP serving for these
machines. When the clients have a public-address (and are not sitting
behing a NAT) this all goes well : IKE exchanges enables the setup of
a ESP flow between my server and the client and the transported L2TP
udp flow is established correctly.
Question :
When the client sits behind a firewall, the IKE exchange (udp port
500) detects that a NAT is involved and jumps to port udp 4500 (known
as nat-traversal or ipsec-msft). The IKE flows than manages to set the
SAs, basically enabling the establishment of the IPSEC flow. Than the
ESP flows goes through udp 4500 (ipencap) rather than using IP
protocol ESP. On the server there is clearly encrypted packets
arriving bound to udp 1701 (L2TP) after decryption. The L2TP server
replies to the client, the packet (now speaking of the udp packet
coming from server and going to client) is encrypted and send towards
client's udp 4500. On the client (Mac 10.5), having ipfw logging port
udp 4500 I see the paket arriving but it seems the decrpted packet
never reaches the L2TP client.
Unfortunately, I have so far not found a way to have verbose logging
of PPP daemon on the client machine, nor got a way to trace the
decrypted packets on the client side (on the server, OpenBSD as an
interface, enc0, where I can log the unencrypted packets).
Is there a way on the mac to gather information on the unencrypted
content of ESP or NAT-Ted esp packets?
I was hopping that setting "sysctl -w net.inet.ipsec.debug=1" would
help me on this respect, but I could not find if and where this would
produce any logging....
Is there a way for me to make sure that returned packets are reaching
the client's PPP daemon?
On the client mac, when I'm turning ipfw on to have logging of packets
and sets ipfw this way :
01000 count log logamount 10000 udp from any to any dst-port 4500
02000 count log logamount 10000 udp from any to any dst-port 500
03000 count log logamount 10000 udp from any to any dst-port 1701
04000 count log logamount 10000 esp from any to any
65535 allow ip from any to any
I clearly the initial packet used to exchange keys :
Jun 20 21:53:27 cocoa Firewall[55]: 2000 Count UDP 192.168.126.51:500
88.191.97.183:500 out via en1
Jun 20 21:53:27 cocoa Firewall[55]: 2000 Count UDP 88.191.97.183:500
192.168.126.51:500 in via en1
Jun 20 21:53:27 cocoa Firewall[55]: 2000 Count UDP 192.168.126.51:500
88.191.97.183:500 out via en1
Jun 20 21:53:27 cocoa Firewall[55]: 2000 Count UDP 88.191.97.183:500
192.168.126.51:500 in via en1
Jun 20 21:53:27 cocoa Firewall[55]: 1000 Count UDP
192.168.126.51:4500 88.191.97.183:4500 out via en1
Jun 20 21:53:27 cocoa Firewall[55]: 1000 Count UDP 88.191.97.183:4500
192.168.126.51:4500 in via en1
Then I see a traffic on port 4500, which (by having a look
simultaneously to l2tpd on the server) I'm sure corresponds to L2TP
traffic :
Jun 20 21:53:27 cocoa Firewall[55]: 1000 Count UDP
192.168.126.51:4500 88.191.97.183:4500 out via en1
Jun 20 21:53:28: --- last message repeated 1 time ---
Jun 20 21:53:28 cocoa Firewall[55]: 1000 Count UDP 88.191.97.183:4500
192.168.126.51:4500 in via en1
Jun 20 21:53:28 cocoa Firewall[55]: 1000 Count UDP
192.168.126.51:4500 88.191.97.183:4500 out via en1
Jun 20 21:53:30: --- last message repeated 2 times ---
Jun 20 21:53:30 cocoa Firewall[55]: 1000 Count UDP 88.191.97.183:4500
192.168.126.51:4500 in via en1
Jun 20 21:53:31: --- last message repeated 1 time ---
Jun 20 21:53:31 cocoa Firewall[55]: 1000 Count UDP
192.168.126.51:4500 88.191.97.183:4500 out via en1
Jun 20 21:53:31 cocoa Firewall[55]: 1000 Count UDP 88.191.97.183:4500
192.168.126.51:4500 in via en1
Jun 20 21:53:35: --- last message repeated 4 times ---
Jun 20 21:53:35 cocoa Firewall[55]: 1000 Count UDP
192.168.126.51:4500 88.191.97.183:4500 out via en1
Jun 20 21:53:35 cocoa Firewall[55]: 1000 Count UDP 88.191.97.183:4500
192.168.126.51:4500 in via en1
Jun 20 21:53:43 cocoa Firewall[55]: 1000 Count UDP
192.168.126.51:4500 88.191.97.183:4500 out via en1
Jun 20 21:53:43 cocoa Firewall[55]: 1000 Count UDP 88.191.97.183:4500
192.168.126.51:4500 in via en1
In the meantime, the PPP logging on the Mac is only :
Sat Jun 20 21:53:24 2009 : L2TP connecting to server
'xxxxxxxxxxxxxx' (xx.xx.xx.xx)...
Sat Jun 20 21:53:27 2009 : L2TP sent SCCRQ
Sat Jun 20 21:53:27 2009 : IPSec connection started
Sat Jun 20 21:53:27 2009 : IPSec phase 1 client started
Sat Jun 20 21:53:27 2009 : IPSec phase 1 server replied
Sat Jun 20 21:53:27 2009 : IPSec phase 1 established
Sat Jun 20 21:53:28 2009 : IPSec phase 2 started
Sat Jun 20 21:53:28 2009 : IPSec phase 2 established
Sat Jun 20 21:53:28 2009 : IPSec connection established
Sat Jun 20 21:53:28 2009 : L2TP sent SCCRQ
Sat Jun 20 21:53:48 2009 : L2TP cannot connect to the server
Any help or hint is very much welcome.
Serge.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAko9P9sACgkQlz6UVQtc2uwsDACg7lun+2dA2RA4IyWNujlcQacN
8QkAoK8x+7t5K5aw/bIHd7bZd/a7hDbS
=Plg7
-----END PGP SIGNATURE-----
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden