SEO

On Tue, Jun 22, 2004 at 10:49:22PM -0600, Hakan Olsson wrote:
> Support for NAT-Traversal in isakmpd was added just recently (yesterday
> or
> so). The support is for ESP-tunnels only, not AH or transport mode.
>
> So far, it has only been tested between various OpenBSD/isakmpd boxes,
> and
> I would appreciate if people could try to test this against other
> vendors
> and mail me the results.

Hi.

I don't know if my last mail of this morning had delivery problems (I
didn't see it back), so here is a quich description again of the
problem I encoutered. Sorry if someone got it twice !

I'm trying to set up an IPSec tunnel between a FreeBSD gate (GateA,
with NAT-T patchset, initiator) and an OpenBSD gate (GateB, responder,
isakmpd is up to date now).


Each gate is behind a NAT device (NatA and NatB).


GateA sends an Isakmp aggressive exchange from port 500 to port 500.
NatA NATs the packet, which is now ephemeral->500.

NatB forwards the packet to GateB.

GateB detects NAT-T support, detects NAT, and replies from the floated
port.

So the reply packet is 4500->ephemeral.

NatB forwards the packet to NatA, because it has a generic NAT rule,
but NatA has no way to know that this packet is the reply !


As specified in the draft (Section 3):

Recipients MUST reply back to the source address from the packet. This
also means that when the original responder is doing rekeying, or
sending notifications etc. to the original initiator it MUST send the
packets from the same set of port and IP numbers that was used when the
IKE SA was last time used (i.e the source and destination port and IP
numbers must be same).


Please tell me when this will be fixed, I'll update my isakmpd and try
again.


Regards,

Yvan.

[demime 0.98d removed an attachment of type application/pkcs7-signature]