Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to III)

b0ba

New Member


Messages: 6

Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to

obsigna said:
b0ba said:
... I can not reach any other PC in the network. Seems PF blocks packets outside of the VPN server, but
not. What can be the reason ?

Is the IPsec server listening on the WAN interface, i.e. before NAT? In this case, consider to put it behind NAT.

Yes, IPSec is listening WAN interface. I have em0 - WAN, em1 - LAN. What is advantage, if I put it behind NAT ? In anycase I have to forward IPSec ports to it or I am wrong.

Check whether net/mpd5 is configured for proxy-arp:
Code:
...
	set iface enable proxy-arp
...

I have this line.

Check whether the firewall allows any traffic on the ng* interfaces. I have no experience with pf, I use ipfw(8), and the respective rule for this is:
Code:
...
/sbin/ipfw -q add 50 allow ip from any to any via ng*
...

I have:

Code:
# There is a better way to do this with ifconfig groups - you're welcome to try getting
# mpd5 to do that!
pass quick on ng0 all
pass quick on ng1 all
pass quick on ng2 all
pass quick on ng3 all
pass quick on ng4 all
pass quick on ng5 all

I have tried disable PF at all, the same result, may be only a little bit other lines in tcpdump. With pf enabled I have:

Code:
16:04:39.409825 IP 192.168.221.31.52357 > 192.168.221.5.ssh: Flags [S], seq 2764170046, win 8192, options [mss 1240,nop,wscale 2,nop,nop,sackOK], length 0
16:04:39.409857 IP 192.168.221.5.ssh > 192.168.221.31.52357: Flags [R.], seq 0, ack 2764170047, win 0, length 0
16:04:40.000318 IP 192.168.221.31.52357 > 192.168.221.5.ssh: Flags [S], seq 2764170046, win 8192, options [mss 1240,nop,wscale 2,nop,nop,sackOK], length 0
16:04:40.000349 IP 192.168.221.5.ssh > 192.168.221.31.52357: Flags [R.], seq 0, ack 1, win 0, length 0
16:04:40.574235 IP 192.168.221.31.52357 > 192.168.221.5.ssh: Flags [S], seq 2764170046, win 8192, options [mss 1240,nop,nop,sackOK], length 0
16:04:40.574258 IP 192.168.221.5.ssh > 192.168.221.31.52357: Flags [R.], seq 0, ack 1, win 0, length 0
16:04:47.608413 IP 192.168.221.31.52358 > 192.168.221.5.ssh: Flags [S], seq 1881090481, win 8192, options [mss 1240,nop,wscale 2,nop,nop,sackOK], length 0
16:04:47.608450 IP 192.168.221.5.ssh > 192.168.221.31.52358: Flags [R.], seq 0, ack 1881090482, win 0, length 0
16:04:48.187196 IP 192.168.221.31.52358 > 192.168.221.5.ssh: Flags [S], seq 1881090481, win 8192, options [mss 1240,nop,wscale 2,nop,nop,sackOK], length 0
16:04:48.187219 IP 192.168.221.5.ssh > 192.168.221.31.52358: Flags [R.], seq 0, ack 1, win 0, length 0
16:04:48.768865 IP 192.168.221.31.52358 > 192.168.221.5.ssh: Flags [S], seq 1881090481, win 8192, options [mss 1240,nop,nop,sackOK], length 0
16:04:48.768887 IP 192.168.221.5.ssh > 192.168.221.31.52358: Flags [R.], seq 0, ack 1, win 0, length 0

where 192.168.221.31 is IP from mpd5 and 192.168.221.5 other linux server in the same LAN.
 

obsigna

Daemon

Reaction score: 892
Messages: 1,284

Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to

b0ba said:
obsigna said:
b0ba said:
... I can not reach any other PC in the network. Seems PF blocks packets outside of the VPN server, but not. What can be the reason ?
Is the IPsec server listening on the WAN interface, i.e. before NAT? In this case, consider to put it behind NAT.
Yes, IPSec is listening WAN interface. I have em0 - WAN, em1 - LAN. What is advantage, if I put it behind NAT ? In any case I have to forward IPSec ports to it or I am wrong.
Well, this way it works for me. I established NAT port redirection for the 2 UDP ports 500 and 4500 from the WAN interface to the LAN interface, and the Proxy ARP mechanism of mpd5 takes care of the internal routing automatically. Since my setup is running on a dynamic WAN IP, the additional advantage is that nothing needs to be changed, once the dynamic IP changes, the IPsec server continues working without reconfiguration and without restart. Anyway, I never tried IPsec before the NAT, and I cannot tell whether this would work with internal clients or not. I can only tell, that with L2TP/IPsec behind the NAT I can address all internal clients (ssh, web, vnc, etc.) without any problems.

b0ba said:
obsigna said:
Check whether net/mpd5 is configured for proxy-arp:
Code:
...
	set iface enable proxy-arp
...
I have this line.
OK, this is important only, if L2TP (port 1701) is listening behind the NAT.

b0ba said:
obsigna said:
Check whether the firewall allows any traffic on the ng* interfaces. I have no experience with pf, I use ipfw(8), and the respective rule for this is:
Code:
...
/sbin/ipfw -q add 50 allow ip from any to any via ng*
...
I have:

Code:
# There is a better way to do this with ifconfig groups - you're welcome to try getting
# mpd5 to do that!
pass quick on ng0 all
pass quick on ng1 all
pass quick on ng2 all
pass quick on ng3 all
pass quick on ng4 all
pass quick on ng5 all
OK!

b0ba said:
I have tried disable PF at all, the same result, may be only a little bit other lines in tcpdump.
I would not expect this to work, since you need NAT in any case, and once you disable pf you disable NAT as well.

b0ba said:
With pf enabled I have:

Code:
16:04:39.409825 IP 192.168.221.31.52357 > 192.168.221.5.ssh: Flags [S], seq 2764170046, win 8192, options [mss 1240,nop,wscale 2,nop,nop,sackOK], length 0
16:04:39.409857 IP 192.168.221.5.ssh > 192.168.221.31.52357: Flags [R.], seq 0, ack 2764170047, win 0, length 0
16:04:40.000318 IP 192.168.221.31.52357 > 192.168.221.5.ssh: Flags [S], seq 2764170046, win 8192, options [mss 1240,nop,wscale 2,nop,nop,sackOK], length 0
16:04:40.000349 IP 192.168.221.5.ssh > 192.168.221.31.52357: Flags [R.], seq 0, ack 1, win 0, length 0
16:04:40.574235 IP 192.168.221.31.52357 > 192.168.221.5.ssh: Flags [S], seq 2764170046, win 8192, options [mss 1240,nop,nop,sackOK], length 0
16:04:40.574258 IP 192.168.221.5.ssh > 192.168.221.31.52357: Flags [R.], seq 0, ack 1, win 0, length 0
16:04:47.608413 IP 192.168.221.31.52358 > 192.168.221.5.ssh: Flags [S], seq 1881090481, win 8192, options [mss 1240,nop,wscale 2,nop,nop,sackOK], length 0
16:04:47.608450 IP 192.168.221.5.ssh > 192.168.221.31.52358: Flags [R.], seq 0, ack 1881090482, win 0, length 0
16:04:48.187196 IP 192.168.221.31.52358 > 192.168.221.5.ssh: Flags [S], seq 1881090481, win 8192, options [mss 1240,nop,wscale 2,nop,nop,sackOK], length 0
16:04:48.187219 IP 192.168.221.5.ssh > 192.168.221.31.52358: Flags [R.], seq 0, ack 1, win 0, length 0
16:04:48.768865 IP 192.168.221.31.52358 > 192.168.221.5.ssh: Flags [S], seq 1881090481, win 8192, options [mss 1240,nop,nop,sackOK], length 0
16:04:48.768887 IP 192.168.221.5.ssh > 192.168.221.31.52358: Flags [R.], seq 0, ack 1, win 0, length 0
where 192.168.221.31 is IP from mpd5 and 192.168.221.5 other linux server in the same LAN.
I would try to setup some NAT rules.
 

b0ba

New Member


Messages: 6

Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to

obsigna said:
I would try to setup some NAT rules.
Do you think it make sense if both IP adresses are in the same network ? If yes, can you please write example according IPFW and I will try to make the same with PF.
 

obsigna

Daemon

Reaction score: 892
Messages: 1,284

Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to

b0ba said:
obsigna said:
I would try to setup some NAT rules.
Do you think it make sense if both IP adresses are in the same network ?

With both IP addresses, do you mean an IP address from the dynamic IP pool for the ng* interfaces and an IP address in your LAN? In this case, NAT won't make sense for this.

I was thinking about the NAT rules of net/mpd5 -- 4.14. Network Address Translation (NAT). I never tried this, because in my setup I don't need internal NAT, and perhaps, before playing around with NAT, you want to compare your mpd5 settings with my working ones. Perhaps something is wrong with your ippool and/or the ippc ranges. Note also how my L2TP server is listening on the local IP address (l2tp self 192.168.0.1), this would be the only difference from your setup, however I cannot tell, if this is the crucial one.

Code:
l2tp_server:
# Define dynamic IP address pool.
	set ippool add pool_l2tp 192.168.0.201 192.168.0.250

# Create clonable bundle template named B_l2tp
	create bundle template B_l2tp
	set iface enable proxy-arp
	set iface enable tcpmssfix
	set ipcp yes vjcomp

# Specify IP address pool for dynamic assigment.
	set ipcp ranges 192.168.0.1/32 ippool pool_l2tp
	set ipcp dns 192.168.0.1

# Create clonable link template named L_l2tp
	create link template L_l2tp l2tp
	set link action bundle B_l2tp
	set link mtu 1230
	set link keep-alive 0 0
	set link yes acfcomp protocomp
	set link no pap chap eap
	set link enable chap

# Configure L2TP
	set l2tp self 192.168.0.1
	set l2tp disable dataseq

# Allow to accept calls
	set link enable incoming
 

b0ba

New Member


Messages: 6

Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to

I found only 2 diff from my setup:
1) I have mask 24 here, you have 32 (set ipcp ranges 192.168.0.1/32 ippool pool_l2tp)
2) I have external WAN IP here : set l2tp self 192.168.0.1
 

obsigna

Daemon

Reaction score: 892
Messages: 1,284

Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to

b0ba said:
I found only 2 diff from my setup:
1) I have mask 24 here, you have 32 (set ipcp ranges 192.168.0.1/32 ippool pool_l2tp)
2) I have external WAN IP here : set l2tp self 192.168.0.1

A mask of 24 means that the local IP address of your L2TP server is negotiable, and it may end up in the range from 192.168.0.1 - 255 and it may even overlap with the remote IP pool and perhaps with your local LAN address ranges. IMHO, there is no need for the local address range being that flexible, and therefore, I nailed it down to the desired address. I suggest to you doing the same, see: 4.7. IPCP layer.
 

b0ba

New Member


Messages: 6

Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to

With mask 32 I have the same result. I can reach only 192.168.221.31 (ng0) and 192.168.221.254 (em1)
I think now about kernel option "options IPSEC_NAT_T". May be if my IPSec server is listening em0 - WAN, I don't need it and it is the reason. Also I found https://forums.freebsd.org/viewtopic.php?t=45691 It is not issue I have, but may be my problem has relation to it too.
 

obsigna

Daemon

Reaction score: 892
Messages: 1,284

Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to

b0ba said:
With mask 32 I have the same result. I can reach only 192.168.221.31 (ng0) and 192.168.221.254 (em1)
I think now about kernel option "options IPSEC_NAT_T". ...

My IPsec related kernel options are:
Code:
# Options for IPsec
options  IPSEC
options  IPSEC_FILTERTUNNEL
options  IPSEC_NAT_T
device   crypto
device   enc

b0ba said:
... Also I found https://forums.freebsd.org/viewtopic.php?t=45691 It is not issue I have, but may be my problem has relation to it too.

That problem is related to a flaw introduced in FreeBSD 10. Since you are running on FreeBSD 9.2 as I do, that shouldn't affect you.
 

b0ba

New Member


Messages: 6

Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to

I have the same kernel options for the IPSec. I will try tomorrow exactly your setup with IPSec server behind the NAT and let you know. Thank you very much for your help.
 

obsigna

Daemon

Reaction score: 892
Messages: 1,284

Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to

b0ba said:
I have the same kernel options for the IPSec. I will try tomorrow exactly your setup with IPSec server behind the NAT and let you know. Thank you very much for your help.

For your reference, here come my ipfw(8) configuration:

In /etc/rc.conf:
Code:
gateway_enable="YES"
firewall_enable="YES"
firewall_nat_enable="YES"
firewall_script="/etc/ipfw.conf"
ipsec_enable="YES"
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf"
racoon_enable="YES"
racoon_flags="-l /var/log/racoon.log"
mpd_enable="YES"

My ipfw script file /etc/ipfw.conf contains:
Code:
#!/bin/sh

/sbin/ipfw -q flush
/sbin/ipfw -q nat 1 config if em0 unreg_only reset \
                           redirect_port udp 192.168.0.1:500   500 \
                           redirect_port udp 192.168.0.1:4500 4500

# Allow anything within the LAN -- the interface with the heaviest traffic shall come first
/sbin/ipfw -q add 10 allow ip from any to any via em1
/sbin/ipfw -q add 20 allow ip from any to any via lo0
/sbin/ipfw -q add 30 allow ip from any to any via ng*

# Catch spoofing from outside
/sbin/ipfw -q add 90 deny ip from any to any not antispoof in

# NAT rule for incomming packets
/sbin/ipfw -q add 100 nat 1 ip from any to any via em0 in
/sbin/ipfw -q add 101 check-state

# Rules for allowing dial-in calls to the IPsec VPN server listening on a LAN interface behind the NAT
/sbin/ipfw -q add 201 skipto 10000 udp from any to any  500 via em0 in keep-state
/sbin/ipfw -q add 202 skipto 10000 udp from any to any 4500 via em0 in keep-state

# Rules for outgoing traffic -- allow everything that is not explicitely denied
/sbin/ipfw -q add 1000 deny ip from not me to any 25,53 via em0 out
# Allow all other outgoing connections
/sbin/ipfw -q add 2000 skipto 10000 tcp from any to any via em0 out setup keep-state
/sbin/ipfw -q add 2010 skipto 10000 udp from any to any via em0 out keep-state

# Rules for incomming traffic -- deny everything that is not explicitely allowed
/sbin/ipfw -q add 5000 allow tcp from any to me 22,25,80,443,587,993,995 via em0 in setup keep-state
# Deny all other tcp/udp packets, but don't touch gre, esp, icmp traffic
/sbin/ipfw -q add 9998 deny tcp from any to any via em0
/sbin/ipfw -q add 9999 deny udp from any to any via em0

# NAT rule for outgoing packets
/sbin/ipfw -q add 10000 nat 1 ip from any to any via em0 out

# Allow anything else -- just in case ipfw has not been configured as open firewall
/sbin/ipfw -q add 65534 allow ip from any to any

In file /etc/sysctl.conf:
Code:
net.inet.ip.fastforwarding=1
net.inet.ip.fw.one_pass=0
net.inet.ipsec.filtertunnel=0
net.inet6.ipsec6.filtertunnel=0
net.inet.esp.esp_ignore_natt_cksum=1
 

Senya88

Member


Messages: 27

Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to

Hello! I recently learned that the problem described here:
https://www.freebsd.org/cgi/query-pr.cgi?pr=185876&cat=kern
was solved in FreeBSD10-STABLE and -HEAD. I downloaded the source code FreeBSD10-STABLE from svn and applied this patch:
https://forums.freebsd.org/download/file.php?id=2047
I rebuilded my kernel, but not a world. I did not get the expected result. I decided to repeat my experiment described here:
http://forums.freebsd.org/viewtopic...e69c08685ba8819e73535107d84&start=100#p248323
85.113.221.175 - external ip.
Ping from client(10.1.1.100) to 62.33.98.20 unsuccessfull (doesn`t work anywhere)

tcpdump from server:
Code:
# tcpdump -i ng0 -n 'host 62.33.98.20'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ng0, link-type NULL (BSD loopback), capture size 65535 bytes
capability mode sandbox enabled
13:30:49.962631 IP 85.113.221.175 > 62.33.98.20: ICMP echo request, id 32978, seq 19, length 40
13:30:50.086722 IP 62.33.98.20 > 85.113.221.175: ICMP echo reply, id 32978, seq 19, length 40
13:30:54.482136 IP 85.113.221.175 > 62.33.98.20: ICMP echo request, id 32978, seq 20, length 40
13:30:54.606151 IP 62.33.98.20 > 85.113.221.175: ICMP echo reply, id 32978, seq 20, length 40
13:30:59.481821 IP 85.113.221.175 > 62.33.98.20: ICMP echo request, id 32978, seq 21, length 40
13:30:59.606052 IP 62.33.98.20 > 85.113.221.175: ICMP echo reply, id 32978, seq 21, length 40
13:31:04.480702 IP 85.113.221.175 > 62.33.98.20: ICMP echo request, id 32978, seq 22, length 40
13:31:04.604815 IP 62.33.98.20 > 85.113.221.175: ICMP echo reply, id 32978, seq 22, length 40

Ping from client (10.1.1.100) to server (10.1.1.1) doesn`t work too.
Ping to external server ip (85.113.221.175) is successful!
Ping from server (10.1.1.1) to client (10.1.1.100) doesn`t work. This is tcpdump output on the server (ng1 - interface to client 10.1.1.100):
Code:
# tcpdump -i ng1 -n 'host 10.1.1.100'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ng1, link-type NULL (BSD loopback), capture size 65535 bytes
capability mode sandbox enabled
14:08:18.474498 IP 85.113.221.175 > 10.1.1.100: ICMP echo request, id 33253, seq 16, length 64
14:08:18.507610 IP 10.1.1.100 > 85.113.221.175: ICMP echo reply, id 33253, seq 16, length 64
14:08:18.558783 IP 10.1.1.100.137 > 10.1.1.1.137: NBT UDP PACKET(137): REFRESH(8); REQUEST; UNICAST
14:08:19.476525 IP 85.113.221.175 > 10.1.1.100: ICMP echo request, id 33253, seq 17, length 64
14:08:19.509476 IP 10.1.1.100 > 85.113.221.175: ICMP echo reply, id 33253, seq 17, length 64
14:08:20.485218 IP 85.113.221.175 > 10.1.1.100: ICMP echo request, id 33253, seq 18, length 64
14:08:20.518695 IP 10.1.1.100 > 85.113.221.175: ICMP echo reply, id 33253, seq 18, length 64
14:08:21.497361 IP 85.113.221.175 > 10.1.1.100: ICMP echo request, id 33253, seq 19, length 64
14:08:21.530536 IP 10.1.1.100 > 85.113.221.175: ICMP echo reply, id 33253, seq 19, length 64
114:08:22.509121 IP 85.113.221.175 > 10.1.1.100: ICMP echo request, id 33253, seq 20, length 64
14:08:22.543820 IP 10.1.1.100 > 85.113.221.175: ICMP echo reply, id 33253, seq 20, length 64


It is very strange because this is worked on FreeBSD-10.0 RELEASE:
Code:
This is a reversion of the 254519 on 10.0-STABLE:

Index: netinet/ip_var.h
===================================================================
--- netinet/ip_var.h    (revision 262459)
+++ netinet/ip_var.h    (working copy)
@@ -163,12 +163,10 @@
 #define IP_ALLOWBROADCAST    SO_BROADCAST    /* 0x20 can send broadcast packets */
 
 /*
- * IPv4 protocol layer specific mbuf flags.
+ * mbuf flag used by ip_fastfwd
  */
 #define    M_FASTFWD_OURS        M_PROTO1    /* changed dst to local */
 #define    M_IP_NEXTHOP        M_PROTO2    /* explicit ip nexthop */
-#define    M_SKIP_FIREWALL        M_PROTO3    /* skip firewall processing,
-                           keep in sync with IP6 */
 #define    M_IP_FRAG        M_PROTO4    /* fragment reassembly */
 
 #ifdef __NO_STRICT_ALIGNMENT
Index: netinet6/ip6_var.h
===================================================================
--- netinet6/ip6_var.h    (revision 262459)
+++ netinet6/ip6_var.h    (working copy)
@@ -293,12 +293,7 @@
 #define    IPV6_FORWARDING        0x02    /* most of IPv6 header exists */
 #define    IPV6_MINMTU        0x04    /* use minimum MTU (IPV6_USE_MIN_MTU) */
 
-/*
- * IPv6 protocol layer specific mbuf flags.
- */
-#define    M_IP6_NEXTHOP        M_PROTO2    /* explicit ip nexthop */
-#define    M_SKIP_FIREWALL        M_PROTO3    /* skip firewall processing,
-                           keep in sync with IPv4 */
+#define    M_IP6_NEXTHOP        M_PROTO7    /* explicit ip nexthop */
 
 #ifdef __NO_STRICT_ALIGNMENT
 #define IP6_HDR_ALIGNED_P(ip)    1
Index: sys/mbuf.h
===================================================================
--- sys/mbuf.h    (revision 262459)
+++ sys/mbuf.h    (working copy)
@@ -235,7 +235,7 @@
 #define    M_PROTO9    0x00100000 /* protocol-specific */
 #define    M_PROTO10    0x00200000 /* protocol-specific */
 #define    M_PROTO11    0x00400000 /* protocol-specific */
-#define    M_PROTO12    0x00800000 /* protocol-specific */
+#define    M_SKIP_FIREWALL    0x00800000
 
 /*
  * Flags to purge when crossing layers.
@@ -242,13 +242,13 @@
  */
 #define    M_PROTOFLAGS \
     (M_PROTO1|M_PROTO2|M_PROTO3|M_PROTO4|M_PROTO5|M_PROTO6|M_PROTO7|M_PROTO8|\
-     M_PROTO9|M_PROTO10|M_PROTO11|M_PROTO12)
+     M_PROTO9|M_PROTO10|M_PROTO11)
 
 /*
  * Flags preserved when copying m_pkthdr.
  */
 #define M_COPYFLAGS \
-    (M_PKTHDR|M_EOR|M_RDONLY|M_BCAST|M_MCAST|M_VLANTAG|M_PROMISC| \
+    (M_PKTHDR|M_EOR|M_RDONLY|M_SKIP_FIREWALL|M_BCAST|M_MCAST|M_VLANTAG|M_PROMISC| \
      M_PROTOFLAGS)
 
 /*
@@ -255,12 +255,12 @@
  * Mbuf flag description for use with printf(9) %b identifier.
  */
 #define    M_FLAG_BITS \
-    "\20\1M_EXT\2M_PKTHDR\3M_EOR\4M_RDONLY\5M_BCAST\6M_MCAST" \
-    "\7M_PROMISC\10M_VLANTAG\11M_FLOWID"
+    "\20\1M_EXT\2M_PKTHDR\3M_EOR\4M_RDONLY\5M_SKIP_FIREWALL\6M_BCAST\7M_MCAST" \
+    "\8M_PROMISC\10M_VLANTAG\11M_FLOWID"
 #define    M_FLAG_PROTOBITS \
     "\15M_PROTO1\16M_PROTO2\17M_PROTO3\20M_PROTO4\21M_PROTO5" \
     "\22M_PROTO6\23M_PROTO7\24M_PROTO8\25M_PROTO9\26M_PROTO10" \
-    "\27M_PROTO11\30M_PROTO12"
+    "\27M_PROTO11"
 #define    M_FLAG_PRINTF (M_FLAG_BITS M_FLAG_PROTOBITS)
 
 /*

But this isn`t works on FreeBSD-10 STABLE:
Code:
Modified: stable/10/sys/netinet/ip_input.c
==============================================================================
--- stable/10/sys/netinet/ip_input.c	Tue Mar 18 16:41:32 2014	(r263306)
+++ stable/10/sys/netinet/ip_input.c	Tue Mar 18 16:56:05 2014	(r263307)
@@ -707,6 +707,7 @@ ours:
* ip_reass() will return a different mbuf.
*/
if (ip->ip_off & htons(IP_MF | IP_OFFMASK)) {
+	/* XXXGL: shouldn't we save & set m_flags? */
m = ip_reass(m);
if (m == NULL)
return;
@@ -799,6 +800,8 @@ SYSCTL_PROC(_net_inet_ip, OID_AUTO, maxf
NULL, 0, sysctl_maxnipq, "I",
"Maximum number of IPv4 fragment reassembly queue entries");

+#define	M_IP_FRAG	M_PROTO9
+
/*
* Take incoming datagram fragment and try to reassemble it into
* whole datagram. If the argument is the first fragment or one

Modified: stable/10/sys/netinet/ip_var.h
==============================================================================
--- stable/10/sys/netinet/ip_var.h	Tue Mar 18 16:41:32 2014	(r263306)
+++ stable/10/sys/netinet/ip_var.h	Tue Mar 18 16:56:05 2014	(r263307)
@@ -162,15 +162,6 @@ void	kmod_ipstat_dec(int statnum);
#define IP_ROUTETOIF	SO_DONTROUTE	/* 0x10 bypass routing tables */
#define IP_ALLOWBROADCAST	SO_BROADCAST	/* 0x20 can send broadcast packets */

-/*
- * IPv4 protocol layer specific mbuf flags.
- */
-#define	M_FASTFWD_OURS	M_PROTO1	/* changed dst to local */
-#define	M_IP_NEXTHOP	M_PROTO2	/* explicit ip nexthop */
-#define	M_SKIP_FIREWALL	M_PROTO3	/* skip firewall processing,
-	keep in sync with IP6 */
-#define	M_IP_FRAG	M_PROTO4	/* fragment reassembly */
-
#ifdef __NO_STRICT_ALIGNMENT
#define IP_HDR_ALIGNED_P(ip)	1
#else

Modified: stable/10/sys/netinet6/in6.h
==============================================================================
--- stable/10/sys/netinet6/in6.h	Tue Mar 18 16:41:32 2014	(r263306)
+++ stable/10/sys/netinet6/in6.h	Tue Mar 18 16:56:05 2014	(r263307)
@@ -622,13 +622,18 @@ struct ip6_mtuinfo {
#endif /* __BSD_VISIBLE */

/*
- * Redefinition of mbuf flags
+ * Since both netinet/ and netinet6/ call into netipsec/ and netpfil/,
+ * the protocol specific mbuf flags are shared between them.
*/
-#define	M_AUTHIPHDR	M_PROTO2
-#define	M_DECRYPTED	M_PROTO3
-#define	M_LOOP	M_PROTO4
-#define	M_AUTHIPDGM	M_PROTO5
-#define	M_RTALERT_MLD	M_PROTO6
+#define	M_FASTFWD_OURS	M_PROTO1	/* changed dst to local */
+#define	M_IP6_NEXTHOP	M_PROTO2	/* explicit ip nexthop */
+#define	M_IP_NEXTHOP	M_PROTO2	/* explicit ip nexthop */
+#define	M_SKIP_FIREWALL	M_PROTO3	/* skip firewall processing */
+#define	M_AUTHIPHDR	M_PROTO4
+#define	M_DECRYPTED	M_PROTO5
+#define	M_LOOP	M_PROTO6
+#define	M_AUTHIPDGM	M_PROTO7
+#define	M_RTALERT_MLD	M_PROTO8

#ifdef _KERNEL
struct cmsghdr;

Modified: stable/10/sys/netinet6/ip6_var.h
==============================================================================
--- stable/10/sys/netinet6/ip6_var.h	Tue Mar 18 16:41:32 2014	(r263306)
+++ stable/10/sys/netinet6/ip6_var.h	Tue Mar 18 16:56:05 2014	(r263307)
@@ -293,13 +293,6 @@ struct ip6aux {
#define	IPV6_FORWARDING	0x02	/* most of IPv6 header exists */
#define	IPV6_MINMTU	0x04	/* use minimum MTU (IPV6_USE_MIN_MTU) */

-/*
- * IPv6 protocol layer specific mbuf flags.
- */
-#define	M_IP6_NEXTHOP	M_PROTO2	/* explicit ip nexthop */
-#define	M_SKIP_FIREWALL	M_PROTO3	/* skip firewall processing,
-	keep in sync with IPv4 */
-
#ifdef __NO_STRICT_ALIGNMENT
#define IP6_HDR_ALIGNED_P(ip)	1
#else
 

Senya88

Member


Messages: 27

Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to

@gamanakis, all right, the patch described in https://www.freebsd.org/cgi/query-pr.cgi?pr=185876&cat=kern work out of the box. Maybe the problem is something else.
Problem: do IPSEC/L2TP tunnels for users who are behind NAT

Solution:
  1. Apply patches to racoon (5 patches)
  2. Get source code FreeBSD-10 STABLE
  3. Apply patch for NAT-T to kernel (net.inet.esp.esp_ignore_natt_cksum=1)
  4. Compile and install kernel (not a world)

IPFW rules:
Code:
00900 nat 123 ip from 10.1.1.0/24 to any
00901 nat 123 ip from any to 85.113.221.175

Latest tests:
Ping from server 10.1.1.1 to client 10.1.1.100 is successful.
Ping from client to server failed.
tcpdump from server (ng1 tunnel interface for client 10.1.1.100):
Code:
# tcpdump -i ng1 -n 'host 10.1.1.1'
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ng1, link-type NULL (BSD loopback), capture size 65535 bytes
capability mode sandbox enabled
12:56:48.768038 IP 10.1.1.100 > 10.1.1.1: ICMP echo request, id 1, seq 45, length 40
12:56:48.768147 IP 10.1.1.1 > 10.1.1.100: ICMP echo reply, id 1, seq 45, length 40
12:56:53.502041 IP 10.1.1.100 > 10.1.1.1: ICMP echo request, id 1, seq 46, length 40
12:56:53.502146 IP 10.1.1.1 > 10.1.1.100: ICMP echo reply, id 1, seq 46, length 40
12:56:58.502026 IP 10.1.1.100 > 10.1.1.1: ICMP echo request, id 1, seq 47, length 40
12:56:58.502137 IP 10.1.1.1 > 10.1.1.100: ICMP echo reply, id 1, seq 47, length 40
As if all is well, but on the client the ping failed. Firewall client is disabled. Now I do a dump of the traffic, but has not yet found the cause.
 
Last edited by a moderator:

Senya88

Member


Messages: 27

Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to

While established one fact, this situation even without IPSEC. If you are using PPTP situation is similar.
 

Senya88

Member


Messages: 27

Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to

During the test I got some very interesting results!
I had built into the kernel and set in mpd5 MPPC and MPPE, as follows:

Code:
         set bundle enable crypt-reqd 
         set ccp yes mppc 
         set mppc yes compress e40 e56 e128 stateless

After I removed compress, everything was working! Obtained FreeBSD-10 STABLE (PRERELEASE) does not work MPPC.

PS Also works if you remove MPPC in PPP in the connection properties!
 

obsigna

Daemon

Reaction score: 892
Messages: 1,284

Re: Howto set up a L2TP/IPsec VPN Dial-In Server (Part I to

Applying patches to security/ipsec-tools, and patches to an IPsec enabled kernel, the L2TP/IPsec VPN Dial-In Server works for me with and without NAT for a number of clients, and with respect to the clients out of the box, i.e. no special software needs to be installed:
  • Mac OS X 10.5 - 10.9
  • iOS 6 - 7.1
  • Windows XP and Windows 7
For the patching procedure see http://forums.freebsd.org/viewtopic.php?p=237778, and for new links to the patches see http://forums.freebsd.org/viewtopic.php?p=258710.

Please, may I ask to complete the list of compatible Client Operating Systems of the L2TP/IPsec VPN Dial-In Server, which is the subject of the given thread (PPTP, OpenVPN, etc., are different animals).
  • Does Windows 8.x work?
  • Which Android versions do work?
  • What about *nix-Clients?
Please indicate, if the respective client OS works out of the box, or whether special software (which?) need to be installed for access to the given L2TP/IPsec Dial-In Server.
 

helicopter

New Member


Messages: 9

I use FreeBSD 10.1 and I applied all patches for kernel and racoon and it works if all clients have different IP. Nevertheless I have a problem when more than one clients are placed behind the same NAT. The first client connects fine but when the second one trying to connect - the connection couldn't be established. Moreover it breaks the first connection. Could somebody help me with this problem ?

racoon.conf
Code:
# $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $

# "path" affects "include" directives.  "path" must be specified before any
# "include" directive with relative file path.
# you can overwrite "path" directive afterwards, however, doing so may add
# more confusion.
#path include "@sysconfdir_x@/racoon";
#include "remote.conf";

# the file should contain key ID/key pairs, for pre-shared key authentication.
#path pre_shared_key "@sysconfdir_x@/racoon/psk.txt";
path pre_shared_key "/usr/local/etc/racoon/psk.txt";

# racoon will look for certificate file in the directory,
# if the certificate/certificate request payload is received.
#path certificate "@sysconfdir_x@/cert";
#path certificate "/usr/local/etc/racoon/cert";

# "log" specifies logging level.  It is followed by either "notify", "debug"
# or "debug2".
#log debug;
#log debug;
#log info;

# "padding" defines some padding parameters.  You should not touch these.
padding
{
  maximum_length 20;  # maximum padding length.
  randomize off;  # enable randomize length.
  strict_check off;  # enable strict check.
  exclusive_tail off;  # extract last one octet.
}

# if no listen directive is specified, racoon will listen on all
# available interface addresses.
listen
{
  isakmp 1.2.3.4 [500];
  isakmp_natt 1.2.3.4 [4500];
  strict_address;
}

# Specify various default timers.
timer
{
  # These value can be changed per remote node.
  counter 5;  # maximum trying count to send.
  interval 20 sec;  # maximum interval to resend.
  persend 1;  # the number of packets per send.

  # maximum time to wait for completing each phase.
  iphase1 30 sec;
  phase2 15 sec;
}

remote anonymous
{
  exchange_mode aggressive,main;
  generate_policy on;
  passive on;
  verify_cert off;
  ike_frag on;
  my_identifier address;

  proposal_check obey;
  support_proxy on;
  nat_traversal on;
  lifetime time 2 min;
  dpd_delay 20;

  doi ipsec_doi;

  proposal {
  encryption_algorithm aes;
  hash_algorithm sha1;
  authentication_method pre_shared_key;
  dh_group modp1024;
  }

  proposal {
  encryption_algorithm 3des;
  hash_algorithm sha1;
  #authentication_method rsasig;
  authentication_method pre_shared_key;
  dh_group modp1024;
  }

  proposal {
  encryption_algorithm aes;
  hash_algorithm md5;
  authentication_method pre_shared_key;
  dh_group modp1024;
  }

  proposal {
  encryption_algorithm 3des;
  hash_algorithm md5;
  authentication_method pre_shared_key;
  dh_group modp1024;
  }
}


sainfo anonymous
{
  pfs_group modp1024;
  encryption_algorithm 3des;
  authentication_algorithm hmac_sha1;
  lifetime time 1 hour;
  compression_algorithm deflate;
}


sainfo anonymous

{
  pfs_group modp1024;
  encryption_algorithm aes;
  authentication_algorithm hmac_sha1;
  lifetime time 1 hour;
  compression_algorithm deflate;
}

mpd.conf
Code:
#################################################################
#
#  MPD configuration file
#
# This file defines the configuration for mpd: what the
# bundles are, what the links are in those bundles, how
# the interface should be configured, various PPP parameters,
# etc. It contains commands just as you would type them
# in at the console. Lines without padding are labels. Lines
# starting with a "#" are comments.
#
# $Id: mpd.conf.sample,v 1.45 2007/11/26 20:41:37 amotin Exp $
#
#################################################################

startup:
  log +ALL
  # configure mpd users
  set user [...]
  ## configure the console
  # set console self 127.0.0.1 5005
  # set console open
  ## configure the web server
  # set web self 0.0.0.0 5006
  # set web open

#
# Default configuration is "dialup"

default:
  load l2tp_server

l2tp_server:
# Define dynamic IP address pool.
  set ippool add pool 172.16.2.100 172.16.2.250
# Create clonable bundle template named Bl
  create bundle template Bl
  set iface enable proxy-arp
  #set iface idle 1800
  set iface enable tcpmssfix
  set ipcp yes vjcomp
# Specify IP address pool for dynamic assigment.
  set ipcp ranges 172.16.2.1/32 ippool pool
  set ipcp dns 172.16.2.1
# The five lines below enable Microsoft Point-to-Point encryption
# (MPPE) using the ng_mppc(8) netgraph node type.
  set bundle enable compression
  set ccp yes mppc
  set mppc yes e40
  set mppc yes e128
  set mppc yes stateless
# Create clonable link template named Ll
  create link template Ll l2tp
# Set bundle template to use
  set link action bundle Bl
# Multilink adds some overhead, but gives full 1500 MTU.
  set link enable multilink
  set link yes acfcomp protocomp
  set link no pap chap eap
  set link enable chap-msv2
  set link keep-alive 10 60
# We reducing link mtu to avoid GRE packet fragmentation
  set link mtu 1460
# Configure l2tp
  set l2tp self 1.2.3.4
  set l2tp enable length
# Allow to accept calls
  set link enable incoming

setkey.conf
Code:
flush;
spdflush;

spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] any -P in ipsec esp/transport//require;
spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] any -P out ipsec esp/transport//require;
 

Senya88

Member


Messages: 27

Hello All!

I recently upgraded from 10.1-PRERELEASE to 10.1-STABLE.
When I had 10.1-PRERELEASE it worked fine. I applied the patch (see attachment), so IPSEK + L2TP worked. Now it does not work, see the log:


Code:
Feb 10 11:55:07 server racoon: alg_oakley_encdef_decrypt(3des klen=192 size=56): 0.000021
Feb 10 11:55:07 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=32): 0.000012
2015-02-10 11:55:07: INFO: ISAKMP-SA deleted 85.113.221.175[4500]-195.239.236.30[34049] spi:ee20073889d64f8d:9ed345652af7285b
2015-02-10 11:55:07: INFO: KA remove: 85.113.221.175[4500]->195.239.236.30[34049]
2015-02-10 11:55:07: ERROR: pfkey X_SPDDELETE failed: Invalid argument
2015-02-10 11:55:07: ERROR: pfkey X_SPDDELETE failed: Invalid argument
tear down SA: delete 195.239.236.30[34049] 85.113.221.175[4500] esp-udp 236912057;
2015-02-10 11:55:08: INFO: unsupported PF_KEY message REGISTER
2015-02-10 11:55:09: ERROR: no iph2 found: ESP 195.239.236.30[500]->85.113.221.175[500] spi=236912057(0xe1efdb9)
2015-02-10 12:01:14: ERROR: Invalid exchange type 243 from 77.70.0.98[500].
2015-02-10 12:16:40: INFO: respond new phase 1 negotiation: 85.113.221.175[500]<=>195.239.236.30[500]
2015-02-10 12:16:40: INFO: begin Identity Protection mode.
2015-02-10 12:16:40: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
2015-02-10 12:16:40: INFO: received Vendor ID: RFC 3947
2015-02-10 12:16:40: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2015-02-10 12:16:40: INFO: received Vendor ID: FRAGMENTATION
2015-02-10 12:16:40: [195.239.236.30] INFO: Selected NAT-T version: RFC 3947
2015-02-10 12:16:40: ERROR: invalid DH group 20.
2015-02-10 12:16:40: ERROR: invalid DH group 19.
2015-02-10 12:16:40: [85.113.221.175] INFO: Hashing 85.113.221.175[500] with algo #2
2015-02-10 12:16:40: INFO: NAT-D payload #0 verified
2015-02-10 12:16:40: [195.239.236.30] INFO: Hashing 195.239.236.30[500] with algo #2
2015-02-10 12:16:40: INFO: NAT-D payload #1 doesn't match
2015-02-10 12:16:40: INFO: NAT detected: PEER
2015-02-10 12:16:40: [195.239.236.30] INFO: Hashing 195.239.236.30[500] with algo #2
2015-02-10 12:16:40: [85.113.221.175] INFO: Hashing 85.113.221.175[500] with algo #2
2015-02-10 12:16:40: INFO: Adding remote and local NAT-D payloads.
Feb 10 12:16:40 server racoon: phase1(ident R msg1): 0.000825
Feb 10 12:16:40 server racoon: oakley_dh_generate(MODP1024): 0.008891
Feb 10 12:16:40 server racoon: oakley_dh_compute(MODP1024): 0.009156
2015-02-10 12:16:40: INFO: NAT-T: ports changed to: 195.239.236.30[28705]<->85.113.221.175[4500]
Feb 10 12:16:40 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=64): 0.000029
Feb 10 12:16:40 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=145): 0.000010
Feb 10 12:16:40 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=165): 0.000009
Feb 10 12:16:40 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=165): 0.000009
Feb 10 12:16:40 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=1): 0.000009
Feb 10 12:16:40 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=20): 0.000008
Feb 10 12:16:40 server racoon: phase1(ident R msg2): 0.300523
2015-02-10 12:16:40: INFO: KA list add: 85.113.221.175[4500]->195.239.236.30[28705]
Feb 10 12:16:40 server racoon: alg_oakley_encdef_decrypt(3des klen=192 size=40): 0.000028
Feb 10 12:16:40 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=488): 0.000027
Feb 10 12:16:40 server racoon: oakley_validate_auth(pre-shared key): 0.000157
Feb 10 12:16:40 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=488): 0.000084
Feb 10 12:16:40 server racoon: alg_oakley_encdef_encrypt(3des klen=192 size=40): 0.000025
Feb 10 12:16:40 server racoon: phase1(ident R msg3): 0.001025
Feb 10 12:16:40 server racoon: phase1(Identity Protection): 0.335384
Feb 10 12:16:40 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=32): 0.000011
Feb 10 12:16:40 server racoon: alg_oakley_encdef_encrypt(3des klen=192 size=56): 0.000023
2015-02-10 12:16:40: INFO: ISAKMP-SA established 85.113.221.175[4500]-195.239.236.30[28705] spi:b95f4a159532e23f:ac9d1f938d145a3a
2015-02-10 12:16:40: INFO: respond new phase 2 negotiation: 85.113.221.175[4500]<=>195.239.236.30[28705]
Feb 10 12:16:40 server racoon: alg_oakley_encdef_decrypt(3des klen=192 size=304): 0.000040
Feb 10 12:16:40 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=276): 0.000024
2015-02-10 12:16:40: INFO: Update the generated policy : 195.239.236.30/32[1701] 85.113.221.175/32[1701] proto=udp dir=in
2015-02-10 12:16:40: INFO: Adjusting my encmode UDP-Transport->Transport
2015-02-10 12:16:40: INFO: Adjusting peer's encmode UDP-Transport(4)->Transport(2)
Feb 10 12:16:40 server racoon: phase2(???): 0.000853
Feb 10 12:16:40 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=188): 0.000012
Feb 10 12:16:40 server racoon: alg_oakley_encdef_encrypt(3des klen=192 size=168): 0.000029
Feb 10 12:16:40 server racoon: phase2(quick R msg1): 0.000454
2015-02-10 12:16:40: INFO: IPsec-SA established: ESP 85.113.221.175[500]->195.239.236.30[500] spi=178702525(0xaa6c8bd)
Feb 10 12:16:40 server racoon: alg_oakley_encdef_decrypt(3des klen=192 size=32): 0.000021
2015-02-10 12:16:40: INFO: IPsec-SA established: ESP 85.113.221.175[500]->195.239.236.30[500] spi=26977002(0x19ba2ea)
Feb 10 12:16:40 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=69): 0.000028
Feb 10 12:16:40 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=69): 0.000009
Feb 10 12:16:40 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=89): 0.000008
Feb 10 12:16:40 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=89): 0.000009
Feb 10 12:16:40 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=69): 0.000008
Feb 10 12:16:40 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=89): 0.000008
Feb 10 12:16:40 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=89): 0.000008
Feb 10 12:16:40 server racoon: phase2(???): 0.001156
Feb 10 12:16:40 server racoon: phase2(quick): 1423559800.612272
Feb 10 12:17:15 server racoon: alg_oakley_encdef_decrypt(3des klen=192 size=48): 0.000024
Feb 10 12:17:15 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=20): 0.000019
Feb 10 12:17:15 server racoon: alg_oakley_encdef_decrypt(3des klen=192 size=56): 0.000025
Feb 10 12:17:15 server racoon: alg_oakley_hmacdef_one(hmac_sha1 size=32): 0.000020
2015-02-10 12:17:15: INFO: ISAKMP-SA expired 85.113.221.175[4500]-195.239.236.30[28705] spi:b95f4a159532e23f:ac9d1f938d145a3a
2015-02-10 12:17:15: INFO: deleting a generated policy.
2015-02-10 12:17:15: INFO: ISAKMP-SA deleted 85.113.221.175[4500]-195.239.236.30[28705] spi:b95f4a159532e23f:ac9d1f938d145a3a
2015-02-10 12:17:15: INFO: KA remove: 85.113.221.175[4500]->195.239.236.30[28705]
2015-02-10 12:17:15: ERROR: pfkey X_SPDDELETE failed: Invalid argument
2015-02-10 12:17:15: ERROR: pfkey X_SPDDELETE failed: Invalid argument
tear down SA: delete 195.239.236.30[28705] 85.113.221.175[4500] esp-udp 178702525;
2015-02-10 12:17:16: INFO: unsupported PF_KEY message REGISTER
2015-02-10 12:17:16: ERROR: no iph2 found: ESP 195.239.236.30[500]->85.113.221.175[500] spi=178702525(0xaa6c8bd)

FreeBSD 10.1-STABLE has broken IPSEC+NAT-T ?
 

Attachments

  • ipsec-patches-FBSD-10.0.diff.zip
    3.4 KB · Views: 182

sbh01

New Member


Messages: 1

Has anyone had any luck connecting with Windows 7 or Android?

I keep getting the following in my log files

Code:
*** IP1: External IP 1
*** IP2: External IP 2
2012-07-18 17:06:05: INFO: respond new phase 1 negotiation: IP1[500]<=> IP2[500]
2012-07-18 17:06:05: INFO: begin Identity Protection mode.
2012-07-18 17:06:05: INFO: received Vendor ID: RFC 3947
2012-07-18 17:06:05: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2012-07-18 17:06:05: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02

2012-07-18 17:06:05: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
2012-07-18 17:06:05: INFO: received broken Microsoft ID: FRAGMENTATION
2012-07-18 17:06:05: [IP2] INFO: Selected NAT-T version: RFC 3947
2012-07-18 17:06:05: [IP1] INFO: Hashing IP1[500] with algo #2
2012-07-18 17:06:05: INFO: NAT-D payload #0 verified
2012-07-18 17:06:05: [IP2] INFO: Hashing IP2[500] with algo #2
2012-07-18 17:06:05: INFO: NAT-D payload #1 verified
2012-07-18 17:06:05: INFO: NAT not detected
2012-07-18 17:06:05: [IP2] INFO: Hashing IP2[500] with algo #2
2012-07-18 17:06:05: [IP1] INFO: Hashing IP1[500] with algo #2
2012-07-18 17:06:05: INFO: Adding remote and local NAT-D payloads.
2012-07-18 17:06:05: INFO: ISAKMP-SA established IP1[500]-IP2[500] spi:66eebb5ffd4c7792:4d0fe1bb470a9d52
2012-07-18 17:06:05: [IP2] INFO: received INITIAL-CONTACT
2012-07-18 17:06:06: INFO: respond new phase 2 negotiation: IP1[500]<=>IP2[500]
2012-07-18 17:06:06: INFO: IPsec-SA established: ESP/Transport IP1[500]->IP2[500] spi=201111091(0xbfcb633)
2012-07-18 17:06:06: INFO: IPsec-SA established: ESP/Transport IP1[500]->IP2[500] spi=233175(0x38ed7)
*** NOTHING MORE HAPPENS HERE ***

It seems as though I am getting the mentioned problem that Android and Windows seem to speak directly with mpd instead of going via racoon.

I got the same.
Did you find out what is the problem?
 

tauri

New Member

Reaction score: 2
Messages: 1

10.1-RELEASE-p6 FreeBSD 10.1-RELEASE-p6 #1 r279985M
+
Code:
Index: sys/netipsec/ipsec_input.c
===================================================================
--- sys/netipsec/ipsec_input.c  (revision 279985)
+++ sys/netipsec/ipsec_input.c  (working copy)
@@ -349,6 +349,16 @@
  }
  prot = ip->ip_p;

+#ifdef IPSEC_NAT_T
+  if (saidx->mode == IPSEC_MODE_TRANSPORT && sproto == IPPROTO_ESP) {
+  if (prot == IPPROTO_TCP || prot == IPPROTO_UDP) {
+  /* Ignore checksum of packet protected by ESP.  */
+  m->m_pkthdr.csum_flags |= (CSUM_DATA_VALID | CSUM_PSEUDO_HDR);
+  m->m_pkthdr.csum_data = 0xffff;
+  }
+  }
+#endif
+
 #ifdef notyet
  /* IP-in-IP encapsulation */
  if (prot == IPPROTO_IPIP) {
ipsec-tools-0.8.2 from ports, without additional patches.

works, but only one client behind a nat
 

obsigna

Daemon

Reaction score: 892
Messages: 1,284

10.1-RELEASE-p6 FreeBSD 10.1-RELEASE-p6 #1 r279985M
+
Code:
Index: sys/netipsec/ipsec_input.c
===================================================================
--- sys/netipsec/ipsec_input.c  (revision 279985)
+++ sys/netipsec/ipsec_input.c  (working copy)
@@ -349,6 +349,16 @@
  }
  prot = ip->ip_p;

+#ifdef IPSEC_NAT_T
+  if (saidx->mode == IPSEC_MODE_TRANSPORT && sproto == IPPROTO_ESP) {
+  if (prot == IPPROTO_TCP || prot == IPPROTO_UDP) {
+  /* Ignore checksum of packet protected by ESP.  */
+  m->m_pkthdr.csum_flags |= (CSUM_DATA_VALID | CSUM_PSEUDO_HDR);
+  m->m_pkthdr.csum_data = 0xffff;
+  }
+  }
+#endif
+
#ifdef notyet
  /* IP-in-IP encapsulation */
  if (prot == IPPROTO_IPIP) {
ipsec-tools-0.8.2 from ports, without additional patches.

works, but only one client behind a nat

I switched from security/ipsec-tools to security/strongswan. Only strongswan enables Multi-NATT without problems. For Windows connectivity, I have a similar patch in place as your above one. And the important point is that only this one must be applied, that means all the other patches that were discussed at various posts in this thread must be removed.

NOTE: I am the original author of this HOWTO (that time my login name was rolfheinrich). I suggest to everybody to switch from security/ipsec-tools to security/strongswan - for the various settings see: http://blog.obsigna.net/?p=520. Nothing needs to be changed on a working net/mpd5 setup.

If Windows connectivity is important via L2TP/IPsec then you need to apply the above patch of tauri -- IMPORTANT, only this one, nothing else. Another option is to use IKEv2/IPsec for Windows.

My strongswan settings follow.
/usr/local/etc/strongswan.conf:
Code:
charon
{
   load_modular = yes
   plugins
   {
      include strongswan.d/charon/*.conf
   }

   install_virtual_ip_on = re0
   install_virtual_ip = yes
   install_routes = no
   process_route = no

   syslog
   {
      identifier = ipsec
      daemon
      {
         ike_name = yes
      }
   }
}

/usr/local/etc/ipsec.conf
Code:
conn L2TP/IPsec-PSK
   keyexchange = ikev1
   type = transport
   leftauth = psk
   rightauth = psk
   left = %defaultroute
   right = %any
   auto = add

conn L2TP/IPsec-RSA
   keyexchange = ikev1
   type = transport
   leftcert = ipsec-service-cert.pem
   rightcert = ipsec-clients-cert.pem
   left = %defaultroute
   right = %any
   auto = add

conn IKEv2
   keyexchange = ikev2
   leftcert = ipsec-service-cert.pem
   rightcert = ipsec-clients-cert.pem
   left = %defaultroute
   leftsubnet = 0.0.0.0/0
   right = %any
   rightdns = 192.168.1.1
   rightsourceip = 192.168.1.176/28
   auto = add

/usr/local/etc/ipsec.secrets
Code:
: PSK "Dp5GU42F7omBhMVLiJi5V6Em3JWTyJ1"
: RSA ipsec-service-key.pem
 

obsigna

Daemon

Reaction score: 892
Messages: 1,284

I would be very grateful if you would post your patch for windows.
Here it comes:
Code:
--- sys/netipsec/ipsec_input.c.orig    2014-11-19 08:49:47.000000000 -0200
+++ sys/netipsec/ipsec_input.c    2015-01-14 20:45:39.000000000 -0300
@@ -349,6 +349,14 @@ ipsec4_common_input_cb(struct mbuf *m, s
    }
    prot = ip->ip_p;

+#ifdef IPSEC_NAT_T
+    if (saidx->mode == IPSEC_MODE_TRANSPORT && sproto == IPPROTO_ESP && prot == IPPROTO_UDP) {
+        /* Ignore UDP checksum of packet protected by ESP.  */
+        m->m_pkthdr.csum_flags |= (CSUM_DATA_VALID | CSUM_PSEUDO_HDR);
+        m->m_pkthdr.csum_data = 0xffff;
+    }
+#endif
+
#ifdef notyet
    /* IP-in-IP encapsulation */
    if (prot == IPPROTO_IPIP) {
This one differs form the patch of tauri by that it disables checksumming for the UDP protocol only (no changes for TCP). Note, that in the case of IPv4, the UDP checksum is optional, while the TCP checksum is required. In the present case, ESP does already its own integrity checks, making the checksum of UDP somewhat redundant, and for this reason in the case of mode == IPSEC_MODE_TRANSPORT && sproto == IPPROTO_ESP && prot == IPPROTO_UDP we may simply ignore it.

In order to apply above patch, login as root and save it to ~/ipsec-ignore-esp+udp-checksum.patch, then use the following command sequence:
cd /usr/src
patch < ~/ipsec-ignore-esp+udp-checksum.patch

Finally you need to recompile the kernel.
 
Top