Re: ISAKMPD NAT/Traversal
On 2013-09-07, Christoph Leser le...@sup-logistik.de wrote: Von: owner-m...@openbsd.org [owner-m...@openbsd.org]quot; im Auftrag von quot;Stuart Henderson [s...@spacehopper.org] Gesendet: Samstag, 7. September 2013 00:11 An: misc@openbsd.org Betreff: Re: ISAKMPD NAT/Traversal On 2013-09-06, Christoph Leser le...@sup-logistik.de wrote: Hello, list, from a remark by Stuart Henderson on an older thread http://marc.info/?l=openbsd-miscm=134849 788026722w=2 back in September 2012,I understood that NAT-T support in openBSD was not complete at that time, especially the handling of the 'ENCAPSULATION_MODE' attribute in the phase 2 'TRANSFORM'. Sometimes this gets set to a value incompatible with other equipment ( cisco ). Can someone please point me to where I can find more information on this matter. Has anything changed in openBSD with regard to this, will openBSD follow RFC3947 with regard to the encapsulation modes ( or is RFC3947 deas, it seems to be a standard proposal since 2005 ). Mit freundlichen Gr��en Christoph Leser SP Computersysteme GmbH Zettachring 4 70567 Stuttgart Fasanenhof EMail: le...@sup-logistik.de You misunderstand. OpenBSD uses the proper assigned encapsulation mode values from the newer internet-drafts and the published RFC: http://tools.ietf.org/html/draft-ietf-ipsec-nat-t-ike-04#section-5.1 http://tools.ietf.org/html/rfc3947#section-5.1 It is Cisco who use the old encapsulation mode values from the early versions of the internet-draft (marked XXX CHANGE here): http://tools.ietf.org/html/draft-ietf-ipsec-nat-t-ike-03#section-5.1 thanks for the clarification. Does that mean that openBSD sends UDP-Encapsulated-Tunnel (=3) mode when it detects NAT? But the isakmpd.pcap still shows attribute ENCAPSULATION_MODE = TUNNEL in the TRANSFORM payload? IIRC that is the case. I ask because I have problems with a SonicWall behind a Nat on the remote site, which claims that my openBSD TUNNEL(=1) instead of Encapsulated Tunnel(=3). At this point I think you probably need to break out the debug logs to try and work out what's going on. My general-use logging setup for isakmpd is -v -D0=29 -D1=49 -D2=10 -D3=30 -D5=20 -D6=30 -D8=30 -D9=30 -D10=20 though sometimes certain areas need tweaking.
Re: ISAKMPD NAT/Traversal
Von: owner-m...@openbsd.org [owner-m...@openbsd.org]quot; im Auftrag von quot;Stuart Henderson [s...@spacehopper.org] Gesendet: Samstag, 7. September 2013 00:11 An: misc@openbsd.org Betreff: Re: ISAKMPD NAT/Traversal On 2013-09-06, Christoph Leser le...@sup-logistik.de wrote: Hello, list, from a remark by Stuart Henderson on an older thread http://marc.info/?l=openbsd-miscm=134849 788026722w=2 back in September 2012,I understood that NAT-T support in openBSD was not complete at that time, especially the handling of the 'ENCAPSULATION_MODE' attribute in the phase 2 'TRANSFORM'. Sometimes this gets set to a value incompatible with other equipment ( cisco ). Can someone please point me to where I can find more information on this matter. Has anything changed in openBSD with regard to this, will openBSD follow RFC3947 with regard to the encapsulation modes ( or is RFC3947 deas, it seems to be a standard proposal since 2005 ). Mit freundlichen Gr��en Christoph Leser SP Computersysteme GmbH Zettachring 4 70567 Stuttgart Fasanenhof EMail: le...@sup-logistik.de You misunderstand. OpenBSD uses the proper assigned encapsulation mode values from the newer internet-drafts and the published RFC: http://tools.ietf.org/html/draft-ietf-ipsec-nat-t-ike-04#section-5.1 http://tools.ietf.org/html/rfc3947#section-5.1 It is Cisco who use the old encapsulation mode values from the early versions of the internet-draft (marked XXX CHANGE here): http://tools.ietf.org/html/draft-ietf-ipsec-nat-t-ike-03#section-5.1 thanks for the clarification. Does that mean that openBSD sends UDP-Encapsulated-Tunnel (=3) mode when it detects NAT? But the isakmpd.pcap still shows attribute ENCAPSULATION_MODE = TUNNEL in the TRANSFORM payload? I ask because I have problems with a SonicWall behind a Nat on the remote site, which claims that my openBSD TUNNEL(=1) instead of Encapsulated Tunnel(=3).
ISAKMPD NAT/Traversal
Hello, list, from a remark by Stuart Henderson on an older thread http://marc.info/?l=openbsd-miscm=134849 788026722w=2 back in September 2012,I understood that NAT-T support in openBSD was not complete at that time, especially the handling of the 'ENCAPSULATION_MODE' attribute in the phase 2 'TRANSFORM'. Sometimes this gets set to a value incompatible with other equipment ( cisco ). Can someone please point me to where I can find more information on this matter. Has anything changed in openBSD with regard to this, will openBSD follow RFC3947 with regard to the encapsulation modes ( or is RFC3947 deas, it seems to be a standard proposal since 2005 ). Mit freundlichen Grüßen Christoph Leser SP Computersysteme GmbH Zettachring 4 70567 Stuttgart Fasanenhof EMail: le...@sup-logistik.de
Re: ISAKMPD NAT/Traversal
On 2013-09-06, Christoph Leser le...@sup-logistik.de wrote: Hello, list, from a remark by Stuart Henderson on an older thread http://marc.info/?l=openbsd-miscm=134849 788026722w=2 back in September 2012,I understood that NAT-T support in openBSD was not complete at that time, especially the handling of the 'ENCAPSULATION_MODE' attribute in the phase 2 'TRANSFORM'. Sometimes this gets set to a value incompatible with other equipment ( cisco ). Can someone please point me to where I can find more information on this matter. Has anything changed in openBSD with regard to this, will openBSD follow RFC3947 with regard to the encapsulation modes ( or is RFC3947 deas, it seems to be a standard proposal since 2005 ). Mit freundlichen Gr��en Christoph Leser SP Computersysteme GmbH Zettachring 4 70567 Stuttgart Fasanenhof EMail: le...@sup-logistik.de You misunderstand. OpenBSD uses the proper assigned encapsulation mode values from the newer internet-drafts and the published RFC: http://tools.ietf.org/html/draft-ietf-ipsec-nat-t-ike-04#section-5.1 http://tools.ietf.org/html/rfc3947#section-5.1 It is Cisco who use the old encapsulation mode values from the early versions of the internet-draft (marked XXX CHANGE here): http://tools.ietf.org/html/draft-ietf-ipsec-nat-t-ike-03#section-5.1