Description of problem: ipsec-tools-0.3.3-6 does not support NAT-T Traversal and does not Version-Release number of selected component (if applicable): 0.3.3-6 How reproducible: Always Steps to Reproduce: 1. Follow steps in http://www.ipsec-howto.org/x299.html 2. Connect from Windows XP SP2 machine from behind NAT 3. Actual results: racoon doesn't switch to NAT-T mode From /var/log/messages: Sep 12 01:00:26 unix-01 racoon: INFO: @(#)ipsec-tools 0.3.3 (http://ipsec- tools.sourceforge.net) Sep 12 01:00:26 unix-01 racoon: INFO: @(#)This product linked OpenSSL 0.9.7a Feb 19 2003 (http://www.openssl.org/) Sep 12 01:00:27 unix-01 racoon: INFO: 165.146.178.7[4500] used as isakmp port (fd=8) Sep 12 01:00:27 unix-01 racoon: INFO: 165.146.178.7[4500] used for NAT-T Sep 12 01:00:27 unix-01 racoon: INFO: 165.146.178.7[500] used as isakmp port (fd=9) Sep 12 01:00:27 unix-01 racoon: racoon startup succeeded Sep 12 01:00:27 unix-01 racoon: INFO: unsupported PF_KEY message REGISTER Sep 12 01:01:34 unix-01 racoon: ERROR: unknown Informational exchange received. Sep 12 01:01:36 unix-01 racoon: INFO: respond new phase 1 negotiation: 165.146.178.7[500]<=>165.165.0.94[500] Sep 12 01:01:36 unix-01 racoon: INFO: begin Identity Protection mode. Sep 12 01:01:36 unix-01 racoon: INFO: received Vendor ID: MS NT5 ISAKMPOAKLEY Sep 12 01:01:36 unix-01 racoon: INFO: ISAKMP-SA established 165.146.178.7[500]- 165.165.0.94[500] spi:6cf57b3f3df9c786:49c3674a11f07110 Sep 12 01:01:37 unix-01 racoon: INFO: respond new phase 2 negotiation: 165.146.178.7[0]<=>165.165.0.94[0] Sep 12 01:01:37 unix-01 racoon: INFO: no policy found, try to generate the policy : 192.168.1.97/32[1701] 165.146.178.7/32[1701] proto=udp dir=in Sep 12 01:01:37 unix-01 racoon: INFO: IPsec-SA established: ESP/Transport 165.165.0.94->165.146.178.7 spi=188948397(0xb431fad) Sep 12 01:01:37 unix-01 racoon: INFO: IPsec-SA established: ESP/Transport 165.146.178.7->165.165.0.94 spi=2563736790(0x98cf84d6) Sep 12 01:01:37 unix-01 racoon: ERROR: such policy does not already exist: 192.168.1.97/32[1701] 165.146.178.7/32[1701] proto=udp dir=in Sep 12 01:01:37 unix-01 racoon: ERROR: such policy does not already exist: 165.146.178.7/32[1701] 192.168.1.97/32[1701] proto=udp dir=out Sep 12 01:01:45 unix-01 racoon: INFO: purged IPsec-SA proto_id=ESP spi=2563736790. Sep 12 01:01:45 unix-01 racoon: INFO: purged ISAKMP-SA proto_id=ISAKMP spi=6cf57b3f3df9c786:49c3674a11f07110. Sep 12 01:01:46 unix-01 racoon: INFO: ISAKMP-SA deleted 165.146.178.7[500]- 165.165.0.94[500] spi:6cf57b3f3df9c786:49c3674a11f07110 Expected results: Updated to Fedora Core 3 Updated ipsec-tools-0.5-2.fc3 provides the following: Sep 12 01:33:44 unix-01 racoon: INFO: @(#)ipsec-tools 0.5 (http://ipsec- tools.sourceforge.net) Sep 12 01:33:44 unix-01 racoon: INFO: @(#)This product linked OpenSSL 0.9.7a Feb 19 2003 (http://www.openssl.org/) Sep 12 01:33:44 unix-01 racoon: NOTIFY: NAT-T is enabled, autoconfiguring ports Sep 12 01:33:44 unix-01 racoon: racoon startup succeeded Sep 12 01:33:44 unix-01 racoon: INFO: 165.146.178.7[500] used as isakmp port (fd=14) Sep 12 01:33:44 unix-01 racoon: INFO: 165.146.178.7[500] used for NAT-T Sep 12 01:33:44 unix-01 racoon: INFO: 165.146.178.7[4500] used as isakmp port (fd=15) Sep 12 01:33:44 unix-01 racoon: INFO: 165.146.178.7[4500] used for NAT-T Sep 12 01:33:44 unix-01 racoon: INFO: unsupported PF_KEY message REGISTER Sep 12 01:33:47 unix-01 racoon: INFO: respond new phase 1 negotiation: 165.146.178.7[500]<=>165.165.0.94[500] Sep 12 01:33:47 unix-01 racoon: INFO: begin Identity Protection mode. Sep 12 01:33:47 unix-01 racoon: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY Sep 12 01:33:47 unix-01 racoon: INFO: received Vendor ID: FRAGMENTATION Sep 12 01:33:47 unix-01 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat- t-ike-02 Sep 12 01:33:47 unix-01 racoon: INFO: Selected NAT-T version: draft-ietf-ipsec- nat-t-ike-02 Sep 12 01:33:47 unix-01 racoon: INFO: NAT-D payload #0 doesn't match Sep 12 01:33:47 unix-01 racoon: INFO: NAT-D payload #1 doesn't match Sep 12 01:33:47 unix-01 racoon: INFO: NAT detected: ME PEER Sep 12 01:33:47 unix-01 racoon: INFO: Hashing 165.165.0.94[500] with algo #2 (NAT-T forced) Sep 12 01:33:47 unix-01 racoon: INFO: Hashing 165.146.178.7[500] with algo #2 (NAT-T forced) Sep 12 01:33:47 unix-01 racoon: INFO: Adding remote and local NAT-D payloads. Sep 12 01:33:47 unix-01 racoon: INFO: NAT-T: ports changed to: 165.165.0.94 [4500]<->165.146.178.7[4500] Sep 12 01:33:47 unix-01 racoon: INFO: KA list add: 165.146.178.7[4500]- >165.165.0.94[4500] Sep 12 01:33:47 unix-01 racoon: INFO: ISAKMP-SA established 165.146.178.7[4500]- 165.165.0.94[4500] spi:93a7d76ca9e02241:ff65107c021e3ca5 Sep 12 01:33:47 unix-01 racoon: INFO: respond new phase 2 negotiation: 165.146.178.7[0]<=>165.165.0.94[0] Additional info: From the IPsec HOWTO guide: The Linux kernel 2.6 is capable of using NAT traversal in tunnel mode. Transport mode is not supported yet. This can be used by Racoon starting with version 0.3.3 of the ipsec-tools.
This is a known limitation of ipsec-tools of that version. It is unlikely to be fixed for RHEL 4; it will be considered with newer ipsec-tools for RHEL 5 or later. With the goal of minimizing risk of change for deployed systems, and in response to customer and partner requirements, Red Hat takes a conservative approach when evaluating changes for inclusion in maintenance updates for currently deployed products. The primary objectives of update releases are to enable new hardware platform support and to resolve critical defects.
Been reading through the ipsec-tools development mailing list and NAT-OA is, as you correctly state, not quite ready to support Microsoft's draft-ietf-ipsec- nat-t-ike-02 implemetation. http://sourceforge.net/mailarchive/message.php?msg_id=12632636 Racoon doesn't support NAT-OA yet. I've no idea if Linux kernel can update TCP checksums The default ipsec-tools package shipped with RHEL4 does however appear to support NAT-T support for RHEL4 - RHEL4 servers through a NATted connection but only works when installing the recompiled ipsec-tools package from Fedora Core 3 (ipsec-tools-0.5-2.fc3). Will RedHat be providing a later version, which has working NAT-T support for RHEL4 - RHEL4 NATted networks, with the next quaterly update of RHEL4?
As stated in the previous comment, it's unlikely to be updated for RHEL 4.