Hi,
I'm having a real headache trying to set up the following IPSec solution:
Private LAN --- IPSec Endpoint<internal_office_IP> --- NAT device/firewall<external_office_IP> --- Internet --- <public_IP>IPSec Endpoint --- Publicly addressed subnet.
The end goal is to be able to have traffic that travels from the office (private) to the hosting environment (public). Simply tunnelling using SSH is not enough, I need an IPSec tunnel.
I have been using the documentation available on the
CentOS site as a guide.
Because one of the end points is behind a NAT device/firewall, I have needed to turn on NAT-traversal, so I added the following directive to the racoon config file on each IPSec endpoint (not mentioned in the CentOS/Red Hat docs BTW):
nat_traversal on;
Now, when I try to initialise the tunnel (by sending traffic to the appropriate subnet), I notice the following error being produced:
ERROR: libipsec failed send update_nat (No algorithm specified)
I've Googled that and all I can find are posts from the same guy, with the exact same problem, but with no responses... And this was way back in 2006!
Does anyone have any experience configuring NAT-traversal with racoon? I'm hoping this is an easy fix, the error message would seem to suggest I need another configuration option somewhere that defines an appropriate algorithm.
I've copied/pasted the output from the endpoint behind the firewall at the end of this post, the output from the endpoint in the publicly available subnet is essentially the same, except for the fact that it identifies the "PEER" as being behind at NAT device and it doesn't see the <internal_office_IP>, instead it sees the <external_office_IP>.
Thanks in advance,
Pete
---------------------------------------------------
racoon debug output on endpoint behind firwall:
---------------------------------------------------
Jun 8 16:17:22 ipsec-gateway0 racoon: 2009-06-08 16:17:22: INFO: respond new phase 1 negotiation: <internal_office IP>[500]<=><public_IP>[500]
Jun 8 16:17:22 ipsec-gateway0 racoon: 2009-06-08 16:17:22: INFO: begin Aggressive mode.
Jun 8 16:17:22 ipsec-gateway0 racoon: 2009-06-08 16:17:22: INFO: received Vendor ID: RFC 3947
Jun 8 16:17:22 ipsec-gateway0 racoon: 2009-06-08 16:17:22: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jun 8 16:17:22 ipsec-gateway0 racoon: 2009-06-08 16:17:22: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Jun 8 16:17:22 ipsec-gateway0 racoon: 2009-06-08 16:17:22: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
Jun 8 16:17:22 ipsec-gateway0 racoon: 2009-06-08 16:17:22: INFO: received Vendor ID: DPD
Jun 8 16:17:22 ipsec-gateway0 racoon: 2009-06-08 16:17:22: INFO: Selected NAT-T version: RFC 3947
Jun 8 16:17:22 ipsec-gateway0 racoon: 2009-06-08 16:17:22: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Jun 8 16:17:22 ipsec-gateway0 racoon: 2009-06-08 16:17:22: INFO: Adding remote and local NAT-D payloads.
Jun 8 16:17:22 ipsec-gateway0 racoon: 2009-06-08 16:17:22: INFO: Hashing <public_IP>[500] with algo #2
Jun 8 16:17:22 ipsec-gateway0 racoon: 2009-06-08 16:17:22: INFO: Hashing <internal_office IP>[500] with algo #2
Jun 8 16:17:22 ipsec-gateway0 racoon: 2009-06-08 16:17:22: INFO: NAT-T: ports changed to: <public_IP>[4500]<-><internal_office IP>[4500]
Jun 8 16:17:22 ipsec-gateway0 racoon: 2009-06-08 16:17:22: INFO: Hashing <internal_office_IP>[4500] with algo #2
Jun 8 16:17:22 ipsec-gateway0 racoon: 2009-06-08 16:17:22: INFO: NAT-D payload #0 doesn't match
Jun 8 16:17:22 ipsec-gateway0 racoon: 2009-06-08 16:17:22: INFO: Hashing <public_IP>[4500] with algo #2
Jun 8 16:17:22 ipsec-gateway0 racoon: 2009-06-08 16:17:22: INFO: NAT-D payload #1 verified
Jun 8 16:17:22 ipsec-gateway0 racoon: 2009-06-08 16:17:22: INFO: NAT detected: ME
Jun 8 16:17:22 ipsec-gateway0 racoon: 2009-06-08 16:17:22: INFO: ISAKMP-SA established <internal_office_IP>[4500]-<public_IP>[4500] spi:35cb25479378aab6:8d6f489b11a2ad03
Jun 8 16:17:23 ipsec-gateway0 racoon: 2009-06-08 16:17:23: INFO: respond new phase 2 negotiation: <internal_office_IP>[4500]<=><public_IP>[4500]
Jun 8 16:17:23 ipsec-gateway0 racoon: 2009-06-08 16:17:23: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Jun 8 16:17:23 ipsec-gateway0 racoon: 2009-06-08 16:17:23: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
Jun 8 16:17:23 ipsec-gateway0 racoon: 2009-06-08 16:17:23: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Jun 8 16:17:23 ipsec-gateway0 racoon: 2009-06-08 16:17:23: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
Jun 8 16:17:23 ipsec-gateway0 racoon: 2009-06-08 16:17:23: ERROR: libipsec failed send update_nat (No algorithm specified)
Jun 8 16:17:23 ipsec-gateway0 racoon: 2009-06-08 16:17:23: ERROR: pfkey update failed.
Jun 8 16:17:23 ipsec-gateway0 racoon: 2009-06-08 16:17:23: ERROR: failed to process packet.
Jun 8 16:17:23 ipsec-gateway0 racoon: 2009-06-08 16:17:23: ERROR: phase2 negotiation failed.
Jun 8 16:17:53 ipsec-gateway0 racoon: 2009-06-08 16:17:53: INFO: IPsec-SA expired: AH/Tunnel <public_IP>[0]-><internal_office_IP>[0] spi=76770912(0x4936e60)
Jun 8 16:17:53 ipsec-gateway0 racoon: 2009-06-08 16:17:53: INFO: IPsec-SA expired: ESP/Tunnel <public_IP>[0]-><internal_office_IP>[0] spi=214429085(0xcc7ed9d)
Jun 8 16:57:01 ipsec-gateway0 racoon: 2009-06-08 16:57:01: INFO: initiate new phase 2 negotiation: <internal_office IP>[4500]<=><public_IP>[4500]
Jun 8 16:57:01 ipsec-gateway0 racoon: 2009-06-08 16:57:01: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->3).
Jun 8 16:57:01 ipsec-gateway0 racoon: 2009-06-08 16:57:01: INFO: NAT detected -> UDP encapsulation (ENC_MODE 1->3).
Jun 8 16:57:01 ipsec-gateway0 racoon: 2009-06-08 16:57:01: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Jun 8 16:57:01 ipsec-gateway0 racoon: 2009-06-08 16:57:01: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
Jun 8 16:57:01 ipsec-gateway0 racoon: 2009-06-08 16:57:01: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Jun 8 16:57:01 ipsec-gateway0 racoon: 2009-06-08 16:57:01: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
Jun 8 16:57:01 ipsec-gateway0 racoon: 2009-06-08 16:57:01: ERROR: libipsec failed send update_nat (No algorithm specified)
Jun 8 16:57:01 ipsec-gateway0 racoon: 2009-06-08 16:57:01: ERROR: pfkey update failed.
Jun 8 16:57:01 ipsec-gateway0 racoon: 2009-06-08 16:57:01: ERROR: failed to process packet.
Jun 8 16:57:01 ipsec-gateway0 racoon: 2009-06-08 16:57:01: ERROR: phase2 negotiation failed.
Jun 8 16:57:31 ipsec-gateway0 racoon: 2009-06-08 16:57:31: INFO: IPsec-SA expired: AH/Tunnel <public_IP>[0]-><internal_office IP>[0] spi=82925571(0x4f15803)
Jun 8 16:57:31 ipsec-gateway0 racoon: 2009-06-08 16:57:31: INFO: IPsec-SA expired: ESP/Tunnel <public_IP>[0]-><internal_office IP>[0] spi=88756792(0x54a5238)