NAT-Traversal Patch -- Version 0.6 [ Contributed by Arkoon Network Security ] =================================== [ http://www.arkoon.net ] [ http://open-source.arkoon.net ] NAT-Traversal patch allows FreeS/WAN to be used behind any NAT device by encapsuling ESP in UDP. Send all your comments/requests to me (mlafon@arkoon.net). If you use it and find it useful, drop me a mail too. Supported drafts : ------------------ o draft-ietf-ipsec-nat-t-ike-01.txt o draft-ietf-ipsec-udp-encaps-01.txt o draft-ietf-ipsec-nat-t-ike-02.txt o draft-ietf-ipsec-udp-encaps-02.txt o draft-ietf-ipsec-nat-t-ike-03.txt o draft-ietf-ipsec-udp-encaps-03.txt o draft-ietf-ipsec-nat-t-ike-04.txt o draft-ietf-ipsec-udp-encaps-04.txt Notes : ------- o Transport mode has been disabled due to security concerns (see below for details). Enable it AT YOUR OWN RISK. o Using Tunnel mode with roadwarriors, you will need to specify the internal IP in the FreeS/WAN Configuration or use Virtual IP (see below). ex: right=%any rightsubnet=192.168.1.1/32 o x509/RSA is strongly recomended for authentication or you'll have to use the same PSK for every users. o This patch also includes VendorID identification. If you know/encounter other VendorID values/hash, please send them to me. o draft-ietf-ipsec-nat-t-ike-01 (used by SSH-Sentinel and SafeNet) does not work if the NAT-Device is doing Ipsec PassThrough. Virtual IP : ------------ This patch also include a method to allow roadwarriors to 'choose' their IP in a list of allowed networks. For each connection, you can allow roadwarrior to choose their IP following different methods : ... right=%any rightsubnet=vhost:%no,%priv ... virtual subnet is a network type (vhost or vnet) followed by a list of method : %no = no virtual IP (accept public IP) %dhcp = accept DHCP SA (0.0.0.0/0) of affected IP [not implemented] %ike = accept affected IKE Config Mode IP [not implemented] %priv = accept system-wide private net list %v4:x = accept ipv4 in list 'x' %v6:x = accept ipv6 in list 'x' %all = accept all ips [only for testing] The system-wide private net list is define in the 'config setup' section and contain a list of allowed networks and a list of not allowed networks. The recommended value is all RFC1918 private networks minus your own private networks. By example (RFC1918 - 192.168.2.0/24 - 192.168.15.128/25) : virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.2.0/24,%v4:!192.168.15.128/25 Note: you can also use subnetwithin from the x509 patch to handle virtual IP. Install : --------- o apply NAT-T patch in freeswan directory : - FreeS/WAN 1.99: NAT-Traversal-0.6-freeswan-1.99.diff - FreeS/WAN 1.99 + NotifyDelete + x509 0.9.15 + Alg 0.8.0 : NAT-Traversal-0.6-freeswan-1.99-nd-x509-0.9.15-alg.diff - FreeS/WAN 1.99 + NotifyDelete + x509 0.9.31 + Alg 0.8.0 : NAT-Traversal-0.6-freeswan-1.99-nd-x509-0.9.31-alg.diff - FreeS/WAN 2.00 + x509 1.3.5 : NAT-Traversal-0.6-freeswan-2.00-x509-1.3.5.diff - Super FreeS/WAN 2.00-rc3 : NAT-Traversal-0.6-sfs-2.00rc3.diff $ cd ~/dev/freeswan-1.99/ $ cat ~/NAT-Traversal-0.6-freeswan-1.99.diff | patch -p1 o Follow the FreeS/WAN procedure to rebuild all. When doing kernel configuration, don't forget to select CONFIG_IPSEC_NAT_TRAVERSAL. o install new kernel, pluto, whack, _confread, _plutorun, _realsetup o add 'nat_traversal=yes' to your ipsec.conf (config setup) o reboot with the new kernel Tests (only Tunnel Mode) : -------------------------- o SSH Sentinel 1.3 [ nat-t-ike-01 ] : OK o SSH Sentinel 1.3.1 [ nat-t-ike-01 ] : OK o SSH Sentinel 1.4 [ nat-t-ike-01 ] : OK o SafeNet SoftRemote 8.0 [ nat-t-ike-01 ] : OK o FreeS/WAN + NAT-T [ nat-t-ike-01 ] : OK o FreeS/WAN + NAT-T [ nat-t-ike-03 ] : OK Note: SSH Sentinel has a bug during diagnostic. It sends ENCAPSULATION_MODE_TUNNEL instead of ENCAPSULATION_MODE_UDP_TUNNEL. This is not refused to allow good interoperability with SSH but will be removed as soon as Sentinel is fixed. If you don't want this behavior, you can add this line in spdb.c : > #define I_DONT_CARE_OF_SSH_SENTINEL Security Concerns : ------------------- o Transport Mode can't be used without NAT in the IPSec layer. Otherwise, all packets for the NAT device (including all hosts behind it) would be sent to the NAT-T Client. This would create a sort of blackhole between the peer which is not behind NAT and the NAT device. o In Tunnel Mode with roadwarriors, we CAN'T accept any IP address, otherwise, an evil roadwarrior could redirect all trafic for one host (including a host on the private network) to himself. That's why, you have to specify the private IP in the configuration file, use virtual IP management, or DHCP-over-IPSec. Todo : ------ o accept new NAT mapping with different IP address o smaller patch for net/ipv4/udp.c (?) o do not send keep alive if packets have been sent to peer (?) Changes : --------- o Version 0.1 -- First public release o Version 0.2 - verify that rcv packet protocol match NAT-T type - use NAT-OA (when available) to quickly fix TCP/UDP checksum - fix IP checksum in ipsec_tunnel before sending it - virtual IP management - better connection handling/lookup - new params (--nat_traversal, --keep_alive, --virtual_private) for pluto - NAT-D hash use negociated hash algorithm (instead of MD5) o Version 0.3 - FreeS/WAN 1.98b, X509 0.9.14, algo 0.8.0 - ESPinUDP patch now in klips/patches2.2 and klips/patches2.3 - bug when freeswan was initiator (zero cookie) - correctly work with PSK - draft-ietf-nat-t-ike-02/03 (floating port) - expired NAT mappings recovering - various bugfixes, improvements o Version 0.4 - ipsec_rcv fix for Linux 2.2.xx - klips/utils/Makefile fix (for manual keying) - connection lookup improvement - force_keepalive keyword in ipsec.conf (SafeNet has been reported to not send keep alive packets) - no more nested functions (reported to have problems with Openwall) - SSH Sentinel 1.4 VID o Version 0.5 - rewrote NAT-T host_pair/connection handling - rewrote port change handling (addr change not handle) - update kernel SA when port change is detected - NAT-T debug messages using pluto debug functions (plutodebug=nat_t) - port floating can be disable in config file (disable_port_floating=yes) - Warning if IPSec-Passthrough NAT device is suspected and old drafts used - accept most recent NAT-T VID instead of first one - new ISAKMP VID (SSH Sentinel, esp-in-udp, Timestep) o Version 0.5a - fix bug that can block udp/4500 packets and create %hold state - cosmetics o Version 0.6 - new VIDs (FreeS/WAN, FRAGMENTATION) - fix checksum in ipsec_tunnel.c when in transport mode - support FreeS/WAN 2.0 - misc