NetBSD-Users archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: IKEv2/IPsec VPN
On 9/20/2017 8:48 PM, Chuck Zmudzinski wrote:
> On 9/20/2017 5:12 PM, Christos Zoulas wrote:
>> In article <e8da578e-c03b-7ae6-3062-b0da729dc179%gmail.com@localhost>,
>> Chuck Zmudzinski <frchuckz%gmail.com@localhost> wrote:
>>> I have used netbsd-6 and netbsd-7 with racoon to set up
>>> IKEv1/L2TP/IPsec
>>> VPN with Windows clients. I have not tried IKEv2 and based on the
>>> little
>>> research I have done I don't think it is possible using an out of
>>> the box
>>> NetBSD/pkgsrc configuration. Even for IKEv1 I needed to hack the NetBSD
>>> kernel to get IKEv1 and IPsec NAT-traversal to work with IPsec, and
>>> I used
>>> a locally modified version of the ancient and apparently no longer
>>> maintained rp-l2tp package to set up l2tp tunnels. If you don't need
>>> NAT
>>> traversal, that is, if neither clients nor the server are behind a
>>> NAT box,
>>> it might be easier to do...
>> In current and 8 it should work out of the box...
>>
>> https://wiki.netbsd.org/tutorials/how_to_create_an_l2tp_ipsec_tunnel_between_an_android_or_iphone_or_ios_device_to_netbsd/
>>
>>
>> christos
> I will try 8 and current and post my result in the next few days. I
> also will try racoon2 with
> IKEv2 sometime with 8 and current. As I understand it, racoon2 is in
> pkgsrc. It's also good
> to know xl2tpd works for l2tp/ipsec. I have been planning on trying it
> instead of using the
> ancient rp-l2tp.
>
> Chuck
>
My results show that neither 8 nor current works for the case when the
windows (or ios or android) L2TP/IPsec VPN client is not behind NAT but
NetBSD
L2TP/IPsec server is behind a NAT. In that case, my tests conclusively show
that the NetBSD kernel, not even 8 and current, implements RFC 3948 "UDP
Encapsulation of IPsec ESP packets" for the transport mode case, and
that is why
private kernel patches that implement RFC 3948 for transport mode are
necessary
for the connection to succeed in this case. I have verified this by
applying my own
private patches to the netbsd-6 and netbsd-7 kernels that implement RFC 3948
for the transport mode case and make the connection work when the NetBSD
L2TP/IPsec server is behind a NAT. My tests also show netbsd does not
work when
both the windows, ios or android L2TP/IPsec VPN client and the netbsd
L2TP/IPsec
VPN server are behind NAT, again because of lack of implementation of
RFC 3948
for the transport mode case in the netbsd kernel, and my test also show
that patches
to the netbsd kernel that implement RFC 3948 for the transport mode case
can fix
this for the case of both client and NetBSD server behind NAT.
I suspect if it was the other way around, that is, if the windows (or
ios or android)
L2TP/IPsec client is behind NAT but the NetBSD L2TP/IPsec server is NOT
behind NAT,
the connection would succeed for all stock netbsd kernels as far back as
at least
netbsd-6, as shown in the wiki tutorial page that Christos referred to
earlier in this
thread. If one looks carefully at the logs showing a successful
connection on that wiki
page, you will see that racoon reports that NAT was detected only for
the PEER, and not
for ME. For the common case of a server that is not behind a NAT, this
is sufficient
because more often than not it is the client, not the server, that is
behind NAT.
For the case Gerard Lally is interested in, which involves substituting
an IKEv2
IPsec solution for an OpenVPN solution in a scenario where both ends
of the secure tunnel are a NetBSD box, the question is whether or not NetBSD
can handle any issues that NAT traversal might cause. As far as I know,
OpenVPN
handles NAT traversal more readily than IPsec does. I think the stock NetBSD
kernel would work fine for IKEv2 as long as both NetBSD boxes are NOT behind
NAT, and each would use the racoon2 package for IKEv2. If one or both NetBSD
boxes are behind a NAT, then it depends on whether or not NetBSD can be
easily configured to support UDP encapsulation in tunnel mode (RFC 3948),
because the IKEv2 VPNs use tunnel mode, in contrast to the transport
mode that
L2TP/IPsec VPNs use. My tests, which are for L2TP/IPsec which uses IPsec
transport
mode, definitively show that no version of the netbsd kernel, not 8 nor
current,
nor the earlier versions, supports UDP encapsulation in transport mode,
for any
case when a NetBSD box is behind the NAT.
Based on my reading of RFC 3948, I think it is likely a solution for the NAT
problem for IKEv2 VPNs which use tunnel mode instead of transport mode
would be easier than for the transport mode case and would probably not
require patching the kernel but would just involve setting up the
security policies
and NAT rules properly in the configuration files according to the rules
given
in RFC 3948 for tunnel mode. This could probably be accomplished using tools
provided by the racoon2 package and without patching the kernel, although I
have never tried racoon2 or IKEv2. The transport mode NAT problem is more
complicated and requires kernel patches because, as RFC 3948 observes,
the UDP checksum is invalidated by NAT for the transport mode case, and
the fix for
this needs to be done in the kernel where the UDP checksum is verified.
As far
as I can tell, all versions of netbsd fail to make the corrections to
the UDP checksum
called for in RFC 3948, for the transport mode case, and that is why
L2TP/IPsec
connections to an L2TP/IPsec NetBSD server located behind a NAT box
always fail,
no matter how hard one might try to tweak the configuration files and
security
policies.
Chuck
Home |
Main Index |
Thread Index |
Old Index