[BSD] VPN (racoon+sl2tps/win2k-xp)

Kollar Csaba csaba.kollar at enternet.hu
2007. Feb. 6., K, 21:59:49 CET 

Sziasztok!

(hosszu lesz :)

Win2k/XP beepitett "l2tp over ipsec" kliensekkel mukodo vpn
szervert szeretnek csinalni freebsd alapokon, roadwarrior usereknek. 

Rovid olvasgatas utan arra jutottam hogy racoon es sl2tps lesz a 
baratom. Eleg konnyen osszejott a dolog, de sajnos a szivasok akkor 
jottek amikor NAT mogott levo win -el probaltam csatlakozni (ami ugye 
eleg gyakori). Mar itt megkerdezem hogy tud e valaki egyeb
megoldast (fontos hogy mukodjon mindenfele 3rd party sw
nelkul, mert amugy tudom hogy jo dolog az openvpn, meg a cisco
pix, stb...). Ha igen, ne is olvasson tovabb, hanem irja meg :)

Szoval, megjobban beleastam magam a racoon -ba, es talaltam egy
patch -et (ipsec/nat traversal for freebsd6). A racoon -os sracok
csinaltak, az ipsec-tools portnal (abban van a racoon) make
install utan irjak is mint informaciot. Feltettem, es ezen plusz 
opciokkal forditottam egy uj kernelt:

options         IPSEC
options         IPSEC_ESP
options         IPSEC_NAT_T

Aztan csinaltam meg ilyet is:

/etc/ipsec.conf:
spdadd VPN_SERVER_IP[1701] 0.0.0.0/0 any -P out ipsec esp/transport//require;
spdadd 0.0.0.0/0 VPN_SERVER_IP[1701] any -P in ipsec esp/transport//require;

/etc/rc.conf:
ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"

Elvileg a NAT_T patch lenne hivatott megoldani a problemat,
illetve a patcheles utan hasznalhato "nat_traversal on" racoon
config opcio. Ennek ellenere tovabbra sem mukodik a dolog.

Connection log:

2007-02-06 21:27:57: INFO: VPN_SERVER_IP[4500] used as isakmp port (fd=5)
2007-02-06 21:27:57: INFO: VPN_SERVER_IP[4500] used for NAT-T
2007-02-06 21:27:57: INFO: VPN_SERVER_IP[500] used as isakmp port (fd=6)
2007-02-06 21:27:57: INFO: VPN_SERVER_IP[500] used for NAT-T
2007-02-06 21:28:05: INFO: respond new phase 1 negotiation: VPN_SERVER_IP[500]<=>CLIENT_PUBLIC_IP[500]
2007-02-06 21:28:05: INFO: begin Identity Protection mode.
2007-02-06 21:28:05: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
2007-02-06 21:28:05: INFO: received Vendor ID: FRAGMENTATION
2007-02-06 21:28:05: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2007-02-06 21:28:05: INFO: Selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02
2007-02-06 21:28:05: INFO: Hashing VPN_SERVER_IP[500] with algo #1
2007-02-06 21:28:05: INFO: NAT-D payload #0 verified
2007-02-06 21:28:05: INFO: Hashing CLIENT_PUBLIC_IP[500] with algo #1
2007-02-06 21:28:05: INFO: NAT-D payload #1 doesn't match
2007-02-06 21:28:05: INFO: NAT detected: PEER
2007-02-06 21:28:05: INFO: Hashing CLIENT_PUBLIC_IP[500] with algo #1
2007-02-06 21:28:05: INFO: Hashing VPN_SERVER_IP[500] with algo #1
2007-02-06 21:28:05: INFO: Adding remote and local NAT-D payloads.
2007-02-06 21:28:05: INFO: NAT-T: ports changed to: CLIENT_PUBLIC_IP[4500]<->VPN_SERVER_IP[4500]
2007-02-06 21:28:05: INFO: KA list add: VPN_SERVER_IP[4500]->CLIENT_PUBLIC_IP[4500]
2007-02-06 21:28:05: ERROR: Expecting IP address type in main mode, but FQDN.
2007-02-06 21:28:05: ERROR: invalid ID payload.
2007-02-06 21:28:06: ERROR: Expecting IP address type in main mode, but FQDN.
2007-02-06 21:28:06: ERROR: invalid ID payload.
.....

A vege ismetlodik parszor, aztan a kliens timeout miatt bont.
Viszont NAT -olt kliens nelkul tokeletesen mukodik.
Gyanura ad okot termeszetesen "NAT-D payload #1 doesn't match"
meg a vegen az ERROR -ok, viszont nem talaltam ezekkel
kapcsolatban hasznalhato infot.

A racoon.conf igy nez ki:

#########################################################

path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;

log notify;

padding
{
    maximum_length 20;
    randomize off;
    strict_check off;
    exclusive_tail off;
}

listen
{
     isakmp VPN_SERVER_IP [500];
     isakmp_natt VPN_SERVER_IP [4500];
}

remote anonymous {
    exchange_mode main;
    generate_policy off;
    nat_traversal on;
    proposal_check obey;
    proposal {
        encryption_algorithm 3des;
        hash_algorithm md5;
        authentication_method pre_shared_key;
        dh_group modp1024;
        }
}

sainfo anonymous {
    pfs_group modp1024;
    encryption_algorithm aes,blowfish,cast128,3des;
    authentication_algorithm hmac_sha256,hmac_sha1,hmac_md5;
    compression_algorithm deflate;
}

Az sl2tps -el nem akarok farasztani senkit, az biztosan mukodik,
az ipsec -nel akad el a dolog ugy tunik :(

-- 
Chal

További információk a(z) BSD levelezőlistáról