[Firewall] Using IPSec (w/o Racoon)

Philip Prindeville philipp_subx at redfish-solutions.com
Thu Jul 17 13:14:19 MDT 2008


Jeff:

Did you have the nat-traversal turned on?  Looking at:

http://www.ipsec-howto.org/x304.html

The example they give down at the bottom shows:

path pre_shared_key "/etc/psk.txt";

timer  {
       natt_keepalive 10sec;
       }

listen {
       isakmp 192.168.1.100 [500];
       isakmp_natt 192.168.1.100 [4500];
       }

remote 192.168.1.1 {
        exchange_mode main;
        nat_traversal on;
        proposal {
                encryption_algorithm 3des;
                hash_algorithm md5;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }
}

sainfo address 172.16.1.0/24 any address 172.16.2.0/24 any {
        pfs_group modp768;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
}


Note the "listen" and "timer" sections, and the "nat_traversal on" 
clause in the "remote" section.

-Philip



Arno van Amersfoort wrote:
> Odd.... But this more sounds like a kernel problem that something that 
> is fixable with iptables...
>
> a.
>
> Jeff Welling wrote:
>   
>> I had trouble getting IPSec to work through NATs, I kept getting an 
>> error along the lines of 'packet too small, retramsitting'.  When there 
>> was no NAT involved it worked like a charm though.  I was not able to 
>> pin down the cause of that error message.
>>
>> Cheers,
>> Jeff.
>>
>> Philip Prindeville wrote:
>>     
>>> I'm hoping to get automagic creation of IPSec tunnels into the next 
>>> release of Astlinux, but this is a showstopper on that capability.
>>>
>>> Let me know if you have some time to stare at this issue some.  I can 
>>> run tests.
>>>
>>> Thanks,
>>>
>>> -Philip
>>>
>>>
>>> Arno van Amersfoort wrote:
>>>   
>>>       
>>>> What kind of IPsec implementation are you using? Freeswan, Racoon or 
>>>> something else. The FAQ is a little outdated, and this explanation only 
>>>> works with Freeswan (which is obsolete AFAIK).
>>>>
>>>> a.
>>>>
>>>> Philip Prindeville wrote:
>>>>   
>>>>     
>>>>         
>>>>> Hi.
>>>>>
>>>>> I read the FAQ.  Saw:
>>>>>
>>>>> *Q:* Does your firewall work with IPSEC (Freeswan)?
>>>>> *A:* YES! :-) Here's how you should do it, it's actually quite easy with 
>>>>> my script.
>>>>> You need to configure the following variables:
>>>>> - OPEN_IP="50 51" # 50 = ESP protocol, 51 = AH protocol
>>>>> - OPEN_UDP="500 4500" # 500 = IKE port. 4500 (=optional) = NAT traversal
>>>>> - TRUSTED_IF="ipsec+" # This allows the actual freeswan traffic to your 
>>>>> gateway/network. You should probably also add "ppp+" but note that this 
>>>>> only works if you don"t use ppp+ for your external interface (EXT_IF)!
>>>>> - RP_FILTER=0 # If we don't do this the private external addresses won't 
>>>>> be routed into our net
>>>>>
>>>>> I'm trying to get a statically configured tunnel using setkey (hence not 
>>>>> using Racoon for dynamic key exchange via DH).
>>>>>
>>>>> I don't have any interfaces called "ipsec*", and in one case I'm doing 
>>>>> Metropolitan ethernet (or PONS, so no PPPoE) and in the other case, my 
>>>>> ppp0 is my EXT_IF.
>>>>>
>>>>> So, what to do?
>>>>>
>>>>> How do I get things working in this corner case?
>>>>>
>>>>> I ran:
>>>>>
>>>>> tcpdump -s 1500 -n -l -i ppp0 \( udp port 500 or udp port 4500 or esp or 
>>>>> ah \)
>>>>>
>>>>> but didn't see squat...  neither inbound nor outbound.
>>>>>
>>>>> Has anyone had success with IPSec that could share some pointers?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> -Philip
>>>>>
>>>>>     
>>>>>           




More information about the Firewall mailing list