[opennhrp-devel] NHRP over IPsec with NAT-T issues

Fri, 03 Apr 2015 07:10:52 -0700 

I've searched the archives and have not seen a similar issue so forgive me
if this has already been answered.

I am running on 3.10.64 kernel and ipsec-tools 0.8.2

DMVPN using NHRP and IPSec (transport mode) works great until one of the
spokes is behind a NAT.

I have IPsec on the hub configured to generate the policy but what I am
seeing is that when NHRP sends out the registration reply it is not getting
wrapped by IPsec so that spoke never sees it.

As you can see below OpenNHRP sees that the registration request has been
NAT'd.  The address of 10.10.10.2 is the WAN IP address of the spoke and
10.0.2.82 is the NAT'd WAN IP address.

# opennhrpctl show
Status: ok

Interface: gre-test
Type: local
Protocol-Address: 192.168.100.255/32
Alias-Address: 192.168.100.254
Flags: up

Interface: gre-test
Type: local
Protocol-Address: 192.168.100.254/32
Flags: up

Interface: gre-test
Type: dynamic
Protocol-Address: 192.168.100.2/32
NBMA-Address: 10.0.2.82
NBMA-NAT-OA-Address: 10.10.10.2
Flags: up
Expires-In: 101:38


The policy that IPSec/racoon generates is below:

src 10.0.0.2/32 dst 10.10.10.2/32 proto 47 
        dir out priority 2147483648 
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 0 mode transport
src 10.10.10.2/32 dst 10.0.0.2/32 proto 47 
        dir in priority 2147483648 
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 0 mode transport
src 0.0.0.0/0 dst 0.0.0.0/0 
        socket out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
        socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
        socket out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
        socket in priority 0

But for some reason the traffic is not matching these policies.

The only way I can get it to work is to manually add the following policies
on the hub which seems like a hack.

src 0.0.0.0/0 dst 0.0.0.0/0 proto 47 key 1234 
        dir fwd priority 0 
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 0 mode transport
src 0.0.0.0/0 dst 0.0.0.0/0 proto 47 key 1234 
        dir in priority 0 
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 0 mode transport
src 0.0.0.0/0 dst 0.0.0.0/0 proto 47 key 1234 
        dir out priority 0 
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 0 mode transport


Any help is appreciated. 



------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
opennhrp-devel mailing list
opennhrp-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opennhrp-devel

Reply via email to