Re: [Users] FreeS/WAN-Win98 IPSec VPN Client communication problem

From: Sam Sgro (sam_at_freeswan.org)
Date: Wed Jan 08 2003 - 07:00:41 CET

• Next message: Andreas Steffen: "Re: [Users] reinstate a cert"
• Previous message: jackie Milne: "[Users] (no subject)"
• In reply to: Rostyslav Germanyuk: "[Users] FreeS/WAN-Win98 IPSec VPN Client communication problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

-----BEGIN PGP SIGNED MESSAGE-----

On Tue, 7 Jan 2003, Rostyslav Germanyuk wrote:

> Could please someone provide tips or explanations for
> the problem following.
>
> I am trying to make Win98 L2TP/VPN client from
> Microsoft work with SuperFreeS/WAN from behind the
> firewall. The setup is pretty strightforward: use
> x.509 certificates for authentication, pfs set to "no"
> according to the setup by Jacco de Leeuw at
>
> http://www.jacco2.dds.nl/networking/freeswan-l2tp.html
>
> For simple connections without NATting gateway it
> works just fine. To enable NAT traversal I added the
> line "nat_traversal=yes" to the [setup] section in
> ipsec.conf, but it didn't work.

I'm not surprised; the L2TP/IPSec client doesn't support NAT traversal. You
would need an IPSec client like SoftRemote or SSH Sentinel.

> After log files
> analysis it seems to me that the reason is following:
> Win98 client wants to use IPSec in transport mode
> exclusively, but as soon as FreeS/WAN completes ISAKMP
> SA definition Phase 1 OK, it disables the transport
> mode for nat traversal, as it says in log, "due to
> security reasons", Win98 receives back "INVALID_ID"
> message, and SA negotiation is dropped. Does anyone
> know is this the real cause and if yes, is there
> workaround to force FreeS/WAN use transport mode?
> Freeswan ignores option type=transport in this case.

- From the NAT Traversal patch README:

  o Transport mode has been disabled due to security concerns (see below for
    details). Enable it AT YOUR OWN RISK.

and the section below...

  o Transport Mode can't be used without NAT in the IPSec layer. Otherwise,
    all packets for the NAT device (including all hosts behind it) would be
    sent to the NAT-T Client. This would create a sort of blackhole between
    the peer which is not behind NAT and the NAT device.

Though the first quote implies you can enable Transport mode, I'm not certain
if you need to do more than "type=transport" to enable it.

- --
Sam Sgro
sam_at_freeswan.org

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: For the matching public key, finger the Reply-To: address.

iQCVAwUBPhu+ikOSC4btEQUtAQEnkAQA2OhNVT3DOzlb6ns9CNkX5knLHNw3x5aK
63hZTcajqWVhJuKS9zuyUApyOs+z253qTNvWFU2aWNk3ElOCkOE7GrdP411LhukH
4KyrnB+JodkXTCYYF3F2gvU1xXpeLc0QCnI+ena7Q/bw8KBafQYmhKFrSCHLPoRe
yFK4uwBmHoY=
=9exw
-----END PGP SIGNATURE-----

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Andreas Steffen: "Re: [Users] reinstate a cert"
• Previous message: jackie Milne: "[Users] (no subject)"
• In reply to: Rostyslav Germanyuk: "[Users] FreeS/WAN-Win98 IPSec VPN Client communication problem"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Thu Jan 09 2003 - 05:21:22 CET