On 2013-09-07, Christoph Leser <[email protected]> wrote: >>Von: [email protected] [[email protected]]" im Auftrag von >>"Stuart Henderson >[[email protected]] >>Gesendet: Samstag, 7. September 2013 00:11 >>An: [email protected] >>Betreff: Re: ISAKMPD NAT/Traversal > >>>On 2013-09-06, Christoph Leser <[email protected]> wrote: >>> Hello, list, >>> >>> from a remark by Stuart Henderson on an older thread >>> http://marc.info/?l=openbsd-misc&m=134849 788026722&w=2 back in September >>> 2012,I understood that NAT-T support in openBSD was not complete at that >>> time, >>> especially the handling of the 'ENCAPSULATION_MODE' attribute in the phase 2 >>> 'TRANSFORM'. Sometimes this gets set to a value incompatible with other >>> equipment ( cisco ). >>> >>> Can someone please point me to where I can find more information on this >>> matter. Has anything changed in openBSD with regard to this, will openBSD >>> follow RFC3947 with regard to the encapsulation modes ( or is RFC3947 deas, >>> it >>> seems to be a standard proposal since 2005 ). >>> >>> Mit freundlichen Gr��en >>> >>> Christoph Leser >>> >>> S&P Computersysteme GmbH >>> Zettachring 4 >>> 70567 Stuttgart Fasanenhof >>> >>> EMail: [email protected] >>> > > >>You misunderstand. OpenBSD uses the proper assigned encapsulation mode >>values from the newer internet-drafts and the published RFC: > >>http://tools.ietf.org/html/draft-ietf-ipsec-nat-t-ike-04#section-5.1 >>http://tools.ietf.org/html/rfc3947#section-5.1 > >>It is Cisco who use the old encapsulation mode values from the early >>versions of the internet-draft (marked "XXX CHANGE" here): > >>http://tools.ietf.org/html/draft-ietf-ipsec-nat-t-ike-03#section-5.1 > > > thanks for the clarification. Does that mean that openBSD sends > UDP-Encapsulated-Tunnel (=3) mode when it detects NAT? But the > isakmpd.pcap still shows "attribute ENCAPSULATION_MODE = TUNNEL" in the > TRANSFORM payload?
IIRC that is the case. > I ask because I have problems with a SonicWall behind a Nat on the > remote site, which claims that my openBSD "TUNNEL(=1) instead of > Encapsulated Tunnel(=3). At this point I think you probably need to break out the debug logs to try and work out what's going on. My general-use logging setup for isakmpd is "-v -D0=29 -D1=49 -D2=10 -D3=30 -D5=20 -D6=30 -D8=30 -D9=30 -D10=20" though sometimes certain areas need tweaking.
