168058 – Racoon does not support NAT-T Traversal

Bug 168058 - Racoon does not support NAT-T Traversal

Summary: Racoon does not support NAT-T Traversal

Keywords:
Status:	CLOSED DEFERRED
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	ipsec-tools
Sub Component:
Version:	4.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Bill Nottingham
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2005-09-11 23:41 UTC by David Herselman
Modified:	2014-03-17 02:55 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-09-12 17:15:57 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description David Herselman 2005-09-11 23:41:08 UTC

Description of problem:
ipsec-tools-0.3.3-6 does not support NAT-T Traversal and does not 

Version-Release number of selected component (if applicable):
0.3.3-6

How reproducible:
Always

Steps to Reproduce:
1. Follow steps in http://www.ipsec-howto.org/x299.html
2. Connect from Windows XP SP2 machine from behind NAT
3.
  
Actual results:
racoon doesn't switch to NAT-T mode
From /var/log/messages:
Sep 12 01:00:26 unix-01 racoon: INFO: @(#)ipsec-tools 0.3.3 (http://ipsec-
tools.sourceforge.net)
Sep 12 01:00:26 unix-01 racoon: INFO: @(#)This product linked OpenSSL 0.9.7a 
Feb 19 2003 (http://www.openssl.org/)
Sep 12 01:00:27 unix-01 racoon: INFO: 165.146.178.7[4500] used as isakmp port 
(fd=8)
Sep 12 01:00:27 unix-01 racoon: INFO: 165.146.178.7[4500] used for NAT-T
Sep 12 01:00:27 unix-01 racoon: INFO: 165.146.178.7[500] used as isakmp port 
(fd=9)
Sep 12 01:00:27 unix-01 racoon: racoon startup succeeded
Sep 12 01:00:27 unix-01 racoon: INFO: unsupported PF_KEY message REGISTER
Sep 12 01:01:34 unix-01 racoon: ERROR: unknown Informational exchange received.
Sep 12 01:01:36 unix-01 racoon: INFO: respond new phase 1 negotiation: 
165.146.178.7[500]<=>165.165.0.94[500]
Sep 12 01:01:36 unix-01 racoon: INFO: begin Identity Protection mode.
Sep 12 01:01:36 unix-01 racoon: INFO: received Vendor ID: MS NT5 ISAKMPOAKLEY
Sep 12 01:01:36 unix-01 racoon: INFO: ISAKMP-SA established 165.146.178.7[500]-
165.165.0.94[500] spi:6cf57b3f3df9c786:49c3674a11f07110
Sep 12 01:01:37 unix-01 racoon: INFO: respond new phase 2 negotiation: 
165.146.178.7[0]<=>165.165.0.94[0]
Sep 12 01:01:37 unix-01 racoon: INFO: no policy found, try to generate the 
policy : 192.168.1.97/32[1701] 165.146.178.7/32[1701] proto=udp dir=in
Sep 12 01:01:37 unix-01 racoon: INFO: IPsec-SA established: ESP/Transport 
165.165.0.94->165.146.178.7 spi=188948397(0xb431fad)
Sep 12 01:01:37 unix-01 racoon: INFO: IPsec-SA established: ESP/Transport 
165.146.178.7->165.165.0.94 spi=2563736790(0x98cf84d6)
Sep 12 01:01:37 unix-01 racoon: ERROR: such policy does not already exist: 
192.168.1.97/32[1701] 165.146.178.7/32[1701] proto=udp dir=in
Sep 12 01:01:37 unix-01 racoon: ERROR: such policy does not already exist: 
165.146.178.7/32[1701] 192.168.1.97/32[1701] proto=udp dir=out
Sep 12 01:01:45 unix-01 racoon: INFO: purged IPsec-SA proto_id=ESP 
spi=2563736790.
Sep 12 01:01:45 unix-01 racoon: INFO: purged ISAKMP-SA proto_id=ISAKMP 
spi=6cf57b3f3df9c786:49c3674a11f07110.
Sep 12 01:01:46 unix-01 racoon: INFO: ISAKMP-SA deleted 165.146.178.7[500]-
165.165.0.94[500] spi:6cf57b3f3df9c786:49c3674a11f07110

Expected results:
Updated to Fedora Core 3 Updated ipsec-tools-0.5-2.fc3 provides the following:
Sep 12 01:33:44 unix-01 racoon: INFO: @(#)ipsec-tools 0.5 (http://ipsec-
tools.sourceforge.net)
Sep 12 01:33:44 unix-01 racoon: INFO: @(#)This product linked OpenSSL 0.9.7a 
Feb 19 2003 (http://www.openssl.org/)
Sep 12 01:33:44 unix-01 racoon: NOTIFY: NAT-T is enabled, autoconfiguring ports
Sep 12 01:33:44 unix-01 racoon: racoon startup succeeded
Sep 12 01:33:44 unix-01 racoon: INFO: 165.146.178.7[500] used as isakmp port 
(fd=14)
Sep 12 01:33:44 unix-01 racoon: INFO: 165.146.178.7[500] used for NAT-T
Sep 12 01:33:44 unix-01 racoon: INFO: 165.146.178.7[4500] used as isakmp port 
(fd=15)
Sep 12 01:33:44 unix-01 racoon: INFO: 165.146.178.7[4500] used for NAT-T
Sep 12 01:33:44 unix-01 racoon: INFO: unsupported PF_KEY message REGISTER
Sep 12 01:33:47 unix-01 racoon: INFO: respond new phase 1 negotiation: 
165.146.178.7[500]<=>165.165.0.94[500]
Sep 12 01:33:47 unix-01 racoon: INFO: begin Identity Protection mode.
Sep 12 01:33:47 unix-01 racoon: INFO: received broken Microsoft ID: MS NT5 
ISAKMPOAKLEY
Sep 12 01:33:47 unix-01 racoon: INFO: received Vendor ID: FRAGMENTATION
Sep 12 01:33:47 unix-01 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-
t-ike-02
Sep 12 01:33:47 unix-01 racoon: INFO: Selected NAT-T version: draft-ietf-ipsec-
nat-t-ike-02
Sep 12 01:33:47 unix-01 racoon: INFO: NAT-D payload #0 doesn't match
Sep 12 01:33:47 unix-01 racoon: INFO: NAT-D payload #1 doesn't match
Sep 12 01:33:47 unix-01 racoon: INFO: NAT detected: ME PEER
Sep 12 01:33:47 unix-01 racoon: INFO: Hashing 165.165.0.94[500] with algo #2 
(NAT-T forced)
Sep 12 01:33:47 unix-01 racoon: INFO: Hashing 165.146.178.7[500] with algo #2 
(NAT-T forced)
Sep 12 01:33:47 unix-01 racoon: INFO: Adding remote and local NAT-D payloads.
Sep 12 01:33:47 unix-01 racoon: INFO: NAT-T: ports changed to: 165.165.0.94
[4500]<->165.146.178.7[4500]
Sep 12 01:33:47 unix-01 racoon: INFO: KA list add: 165.146.178.7[4500]-
>165.165.0.94[4500]
Sep 12 01:33:47 unix-01 racoon: INFO: ISAKMP-SA established 165.146.178.7[4500]-
165.165.0.94[4500] spi:93a7d76ca9e02241:ff65107c021e3ca5
Sep 12 01:33:47 unix-01 racoon: INFO: respond new phase 2 negotiation: 
165.146.178.7[0]<=>165.165.0.94[0]


Additional info:
From the IPsec HOWTO guide:
The Linux kernel 2.6 is capable of using NAT traversal in tunnel mode. 
Transport mode is not supported yet. This can be used by Racoon starting with 
version 0.3.3 of the ipsec-tools.

Comment 1 Bill Nottingham 2005-09-12 17:15:57 UTC

This is a known limitation of ipsec-tools of that version. It is unlikely to be
fixed for RHEL 4; it will be considered with newer ipsec-tools for RHEL 5 or later.

With the goal of minimizing risk of change for deployed systems, and in response
to customer and partner requirements, Red Hat takes a conservative approach when
evaluating changes for inclusion in maintenance updates for currently deployed
products. The primary objectives of update releases are to enable new hardware
platform support and to resolve critical defects.

Comment 2 David Herselman 2005-09-17 12:17:03 UTC

Been reading through the ipsec-tools development mailing list and NAT-OA is, as 
you correctly state, not quite ready to support Microsoft's draft-ietf-ipsec-
nat-t-ike-02 implemetation.
  http://sourceforge.net/mailarchive/message.php?msg_id=12632636
    Racoon doesn't support NAT-OA yet. I've no idea if Linux kernel can
    update TCP checksums

The default ipsec-tools package shipped with RHEL4 does however appear to 
support NAT-T support for RHEL4 - RHEL4 servers through a NATted connection but 
only works when installing the recompiled ipsec-tools package from Fedora Core 
3 (ipsec-tools-0.5-2.fc3).

Will RedHat be providing a later version, which has working NAT-T support for 
RHEL4 - RHEL4 NATted networks, with the next quaterly update of RHEL4?

Comment 3 Bill Nottingham 2005-09-18 01:27:30 UTC

As stated in the previous comment, it's unlikely to be updated for RHEL 4.

Note You need to log in before you can comment on or make changes to this bug.