2 NAT-Traversal Patch -- Version 0.6 [ Contributed by Arkoon Network Security ]
3 =================================== [ http://www.arkoon.net ]
4 [ http://open-source.arkoon.net ]
6 NAT-Traversal patch allows FreeS/WAN to be used behind any NAT device
7 by encapsuling ESP in UDP.
9 Send all your comments/requests to me (mlafon@arkoon.net). If you use it and
10 find it useful, drop me a mail too.
16 o draft-ietf-ipsec-nat-t-ike-01.txt
17 o draft-ietf-ipsec-udp-encaps-01.txt
18 o draft-ietf-ipsec-nat-t-ike-02.txt
19 o draft-ietf-ipsec-udp-encaps-02.txt
20 o draft-ietf-ipsec-nat-t-ike-03.txt
21 o draft-ietf-ipsec-udp-encaps-03.txt
22 o draft-ietf-ipsec-nat-t-ike-04.txt
23 o draft-ietf-ipsec-udp-encaps-04.txt
29 o Transport mode has been disabled due to security concerns (see below for
30 details). Enable it AT YOUR OWN RISK.
32 o Using Tunnel mode with roadwarriors, you will need to specify the internal
33 IP in the FreeS/WAN Configuration or use Virtual IP (see below).
36 rightsubnet=192.168.1.1/32
38 o x509/RSA is strongly recomended for authentication or you'll have to use
39 the same PSK for every users.
41 o This patch also includes VendorID identification. If you know/encounter
42 other VendorID values/hash, please send them to me.
44 o draft-ietf-ipsec-nat-t-ike-01 (used by SSH-Sentinel and SafeNet) does
45 not work if the NAT-Device is doing Ipsec PassThrough.
51 This patch also include a method to allow roadwarriors to 'choose' their
52 IP in a list of allowed networks.
54 For each connection, you can allow roadwarrior to choose their IP
55 following different methods :
58 rightsubnet=vhost:%no,%priv
61 virtual subnet is a network type (vhost or vnet) followed by a list of
63 %no = no virtual IP (accept public IP)
64 %dhcp = accept DHCP SA (0.0.0.0/0) of affected IP [not implemented]
65 %ike = accept affected IKE Config Mode IP [not implemented]
66 %priv = accept system-wide private net list
67 %v4:x = accept ipv4 in list 'x'
68 %v6:x = accept ipv6 in list 'x'
69 %all = accept all ips [only for testing]
71 The system-wide private net list is define in the 'config setup' section
72 and contain a list of allowed networks and a list of not allowed networks.
74 The recommended value is all RFC1918 private networks minus your own
77 By example (RFC1918 - 192.168.2.0/24 - 192.168.15.128/25) :
78 virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.2.0/24,%v4:!192.168.15.128/25
80 Note: you can also use subnetwithin from the x509 patch to handle virtual IP.
86 o apply NAT-T patch in freeswan directory :
89 NAT-Traversal-0.6-freeswan-1.99.diff
91 - FreeS/WAN 1.99 + NotifyDelete + x509 0.9.15 + Alg 0.8.0 :
92 NAT-Traversal-0.6-freeswan-1.99-nd-x509-0.9.15-alg.diff
94 - FreeS/WAN 1.99 + NotifyDelete + x509 0.9.31 + Alg 0.8.0 :
95 NAT-Traversal-0.6-freeswan-1.99-nd-x509-0.9.31-alg.diff
97 - FreeS/WAN 2.00 + x509 1.3.5 :
98 NAT-Traversal-0.6-freeswan-2.00-x509-1.3.5.diff
100 - Super FreeS/WAN 2.00-rc3 :
101 NAT-Traversal-0.6-sfs-2.00rc3.diff
103 $ cd ~/dev/freeswan-1.99/
104 $ cat ~/NAT-Traversal-0.6-freeswan-1.99.diff | patch -p1
106 o Follow the FreeS/WAN procedure to rebuild all. When doing kernel
107 configuration, don't forget to select CONFIG_IPSEC_NAT_TRAVERSAL.
109 o install new kernel, pluto, whack, _confread, _plutorun, _realsetup
110 o add 'nat_traversal=yes' to your ipsec.conf (config setup)
111 o reboot with the new kernel
114 Tests (only Tunnel Mode) :
115 --------------------------
117 o SSH Sentinel 1.3 [ nat-t-ike-01 ] : OK
118 o SSH Sentinel 1.3.1 [ nat-t-ike-01 ] : OK
119 o SSH Sentinel 1.4 [ nat-t-ike-01 ] : OK
120 o SafeNet SoftRemote 8.0 [ nat-t-ike-01 ] : OK
121 o FreeS/WAN + NAT-T [ nat-t-ike-01 ] : OK
122 o FreeS/WAN + NAT-T [ nat-t-ike-03 ] : OK
125 SSH Sentinel has a bug during diagnostic. It sends ENCAPSULATION_MODE_TUNNEL
126 instead of ENCAPSULATION_MODE_UDP_TUNNEL. This is not refused to allow good
127 interoperability with SSH but will be removed as soon as Sentinel is fixed.
128 If you don't want this behavior, you can add this line in spdb.c :
129 > #define I_DONT_CARE_OF_SSH_SENTINEL
135 o Transport Mode can't be used without NAT in the IPSec layer. Otherwise,
136 all packets for the NAT device (including all hosts behind it) would be
137 sent to the NAT-T Client. This would create a sort of blackhole between
138 the peer which is not behind NAT and the NAT device.
140 o In Tunnel Mode with roadwarriors, we CAN'T accept any IP address,
141 otherwise, an evil roadwarrior could redirect all trafic for one host
142 (including a host on the private network) to himself. That's why, you have
143 to specify the private IP in the configuration file, use virtual IP
144 management, or DHCP-over-IPSec.
150 o accept new NAT mapping with different IP address
151 o smaller patch for net/ipv4/udp.c (?)
152 o do not send keep alive if packets have been sent to peer (?)
158 o Version 0.1 -- First public release
161 - verify that rcv packet protocol match NAT-T type
162 - use NAT-OA (when available) to quickly fix TCP/UDP checksum
163 - fix IP checksum in ipsec_tunnel before sending it
164 - virtual IP management
165 - better connection handling/lookup
166 - new params (--nat_traversal, --keep_alive, --virtual_private) for pluto
167 - NAT-D hash use negociated hash algorithm (instead of MD5)
170 - FreeS/WAN 1.98b, X509 0.9.14, algo 0.8.0
171 - ESPinUDP patch now in klips/patches2.2 and klips/patches2.3
172 - bug when freeswan was initiator (zero cookie)
173 - correctly work with PSK
174 - draft-ietf-nat-t-ike-02/03 (floating port)
175 - expired NAT mappings recovering
176 - various bugfixes, improvements
179 - ipsec_rcv fix for Linux 2.2.xx
180 - klips/utils/Makefile fix (for manual keying)
181 - connection lookup improvement
182 - force_keepalive keyword in ipsec.conf
183 (SafeNet has been reported to not send keep alive packets)
184 - no more nested functions (reported to have problems with Openwall)
185 - SSH Sentinel 1.4 VID
188 - rewrote NAT-T host_pair/connection handling
189 - rewrote port change handling (addr change not handle)
190 - update kernel SA when port change is detected
191 - NAT-T debug messages using pluto debug functions (plutodebug=nat_t)
192 - port floating can be disable in config file (disable_port_floating=yes)
193 - Warning if IPSec-Passthrough NAT device is suspected and old drafts used
194 - accept most recent NAT-T VID instead of first one
195 - new ISAKMP VID (SSH Sentinel, esp-in-udp, Timestep)
198 - fix bug that can block udp/4500 packets and create %hold state
202 - new VIDs (FreeS/WAN, FRAGMENTATION)
203 - fix checksum in ipsec_tunnel.c when in transport mode
204 - support FreeS/WAN 2.0