Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 4 product line. The current stable release is 4.9. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 168058

Summary: Racoon does not support NAT-T Traversal
Product: Red Hat Enterprise Linux 4 Reporter: David Herselman <bbs2web>
Component: ipsec-toolsAssignee: Bill Nottingham <notting>
Status: CLOSED DEFERRED QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4.0CC: herrold, rvokal
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-09-12 17:15:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description David Herselman 2005-09-11 23:41:08 UTC 
Description of problem:
ipsec-tools-0.3.3-6 does not support NAT-T Traversal and does not 

Version-Release number of selected component (if applicable):
0.3.3-6

How reproducible:
Always

Steps to Reproduce:
1. Follow steps in http://www.ipsec-howto.org/x299.html
2. Connect from Windows XP SP2 machine from behind NAT
3.
  
Actual results:
racoon doesn't switch to NAT-T mode
From /var/log/messages:
Sep 12 01:00:26 unix-01 racoon: INFO: @(#)ipsec-tools 0.3.3 (http://ipsec-
tools.sourceforge.net)
Sep 12 01:00:26 unix-01 racoon: INFO: @(#)This product linked OpenSSL 0.9.7a 
Feb 19 2003 (http://www.openssl.org/)
Sep 12 01:00:27 unix-01 racoon: INFO: 165.146.178.7[4500] used as isakmp port 
(fd=8)
Sep 12 01:00:27 unix-01 racoon: INFO: 165.146.178.7[4500] used for NAT-T
Sep 12 01:00:27 unix-01 racoon: INFO: 165.146.178.7[500] used as isakmp port 
(fd=9)
Sep 12 01:00:27 unix-01 racoon: racoon startup succeeded
Sep 12 01:00:27 unix-01 racoon: INFO: unsupported PF_KEY message REGISTER
Sep 12 01:01:34 unix-01 racoon: ERROR: unknown Informational exchange received.
Sep 12 01:01:36 unix-01 racoon: INFO: respond new phase 1 negotiation: 
165.146.178.7[500]<=>165.165.0.94[500]
Sep 12 01:01:36 unix-01 racoon: INFO: begin Identity Protection mode.
Sep 12 01:01:36 unix-01 racoon: INFO: received Vendor ID: MS NT5 ISAKMPOAKLEY
Sep 12 01:01:36 unix-01 racoon: INFO: ISAKMP-SA established 165.146.178.7[500]-
165.165.0.94[500] spi:6cf57b3f3df9c786:49c3674a11f07110
Sep 12 01:01:37 unix-01 racoon: INFO: respond new phase 2 negotiation: 
165.146.178.7[0]<=>165.165.0.94[0]
Sep 12 01:01:37 unix-01 racoon: INFO: no policy found, try to generate the 
policy : 192.168.1.97/32[1701] 165.146.178.7/32[1701] proto=udp dir=in
Sep 12 01:01:37 unix-01 racoon: INFO: IPsec-SA established: ESP/Transport 
165.165.0.94->165.146.178.7 spi=188948397(0xb431fad)
Sep 12 01:01:37 unix-01 racoon: INFO: IPsec-SA established: ESP/Transport 
165.146.178.7->165.165.0.94 spi=2563736790(0x98cf84d6)
Sep 12 01:01:37 unix-01 racoon: ERROR: such policy does not already exist: 
192.168.1.97/32[1701] 165.146.178.7/32[1701] proto=udp dir=in
Sep 12 01:01:37 unix-01 racoon: ERROR: such policy does not already exist: 
165.146.178.7/32[1701] 192.168.1.97/32[1701] proto=udp dir=out
Sep 12 01:01:45 unix-01 racoon: INFO: purged IPsec-SA proto_id=ESP 
spi=2563736790.
Sep 12 01:01:45 unix-01 racoon: INFO: purged ISAKMP-SA proto_id=ISAKMP 
spi=6cf57b3f3df9c786:49c3674a11f07110.
Sep 12 01:01:46 unix-01 racoon: INFO: ISAKMP-SA deleted 165.146.178.7[500]-
165.165.0.94[500] spi:6cf57b3f3df9c786:49c3674a11f07110

Expected results:
Updated to Fedora Core 3 Updated ipsec-tools-0.5-2.fc3 provides the following:
Sep 12 01:33:44 unix-01 racoon: INFO: @(#)ipsec-tools 0.5 (http://ipsec-
tools.sourceforge.net)
Sep 12 01:33:44 unix-01 racoon: INFO: @(#)This product linked OpenSSL 0.9.7a 
Feb 19 2003 (http://www.openssl.org/)
Sep 12 01:33:44 unix-01 racoon: NOTIFY: NAT-T is enabled, autoconfiguring ports
Sep 12 01:33:44 unix-01 racoon: racoon startup succeeded
Sep 12 01:33:44 unix-01 racoon: INFO: 165.146.178.7[500] used as isakmp port 
(fd=14)
Sep 12 01:33:44 unix-01 racoon: INFO: 165.146.178.7[500] used for NAT-T
Sep 12 01:33:44 unix-01 racoon: INFO: 165.146.178.7[4500] used as isakmp port 
(fd=15)
Sep 12 01:33:44 unix-01 racoon: INFO: 165.146.178.7[4500] used for NAT-T
Sep 12 01:33:44 unix-01 racoon: INFO: unsupported PF_KEY message REGISTER
Sep 12 01:33:47 unix-01 racoon: INFO: respond new phase 1 negotiation: 
165.146.178.7[500]<=>165.165.0.94[500]
Sep 12 01:33:47 unix-01 racoon: INFO: begin Identity Protection mode.
Sep 12 01:33:47 unix-01 racoon: INFO: received broken Microsoft ID: MS NT5 
ISAKMPOAKLEY
Sep 12 01:33:47 unix-01 racoon: INFO: received Vendor ID: FRAGMENTATION
Sep 12 01:33:47 unix-01 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-
t-ike-02
Sep 12 01:33:47 unix-01 racoon: INFO: Selected NAT-T version: draft-ietf-ipsec-
nat-t-ike-02
Sep 12 01:33:47 unix-01 racoon: INFO: NAT-D payload #0 doesn't match
Sep 12 01:33:47 unix-01 racoon: INFO: NAT-D payload #1 doesn't match
Sep 12 01:33:47 unix-01 racoon: INFO: NAT detected: ME PEER
Sep 12 01:33:47 unix-01 racoon: INFO: Hashing 165.165.0.94[500] with algo #2 
(NAT-T forced)
Sep 12 01:33:47 unix-01 racoon: INFO: Hashing 165.146.178.7[500] with algo #2 
(NAT-T forced)
Sep 12 01:33:47 unix-01 racoon: INFO: Adding remote and local NAT-D payloads.
Sep 12 01:33:47 unix-01 racoon: INFO: NAT-T: ports changed to: 165.165.0.94
[4500]<->165.146.178.7[4500]
Sep 12 01:33:47 unix-01 racoon: INFO: KA list add: 165.146.178.7[4500]-
>165.165.0.94[4500]
Sep 12 01:33:47 unix-01 racoon: INFO: ISAKMP-SA established 165.146.178.7[4500]-
165.165.0.94[4500] spi:93a7d76ca9e02241:ff65107c021e3ca5
Sep 12 01:33:47 unix-01 racoon: INFO: respond new phase 2 negotiation: 
165.146.178.7[0]<=>165.165.0.94[0]


Additional info:
From the IPsec HOWTO guide:
The Linux kernel 2.6 is capable of using NAT traversal in tunnel mode. 
Transport mode is not supported yet. This can be used by Racoon starting with 
version 0.3.3 of the ipsec-tools.
Comment 1 Bill Nottingham 2005-09-12 17:15:57 UTC 
This is a known limitation of ipsec-tools of that version. It is unlikely to be
fixed for RHEL 4; it will be considered with newer ipsec-tools for RHEL 5 or later.

With the goal of minimizing risk of change for deployed systems, and in response
to customer and partner requirements, Red Hat takes a conservative approach when
evaluating changes for inclusion in maintenance updates for currently deployed
products. The primary objectives of update releases are to enable new hardware
platform support and to resolve critical defects.
Comment 2 David Herselman 2005-09-17 12:17:03 UTC 
Been reading through the ipsec-tools development mailing list and NAT-OA is, as 
you correctly state, not quite ready to support Microsoft's draft-ietf-ipsec-
nat-t-ike-02 implemetation.
  http://sourceforge.net/mailarchive/message.php?msg_id=12632636
    Racoon doesn't support NAT-OA yet. I've no idea if Linux kernel can
    update TCP checksums

The default ipsec-tools package shipped with RHEL4 does however appear to 
support NAT-T support for RHEL4 - RHEL4 servers through a NATted connection but 
only works when installing the recompiled ipsec-tools package from Fedora Core 
3 (ipsec-tools-0.5-2.fc3).

Will RedHat be providing a later version, which has working NAT-T support for 
RHEL4 - RHEL4 NATted networks, with the next quaterly update of RHEL4?
Comment 3 Bill Nottingham 2005-09-18 01:27:30 UTC 
As stated in the previous comment, it's unlikely to be updated for RHEL 4.