[ previous ] [ next ] [ threads ]
 
 From:  Bjoern Euler <lists at edain dot de>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Beta 1.23b1
 Date:  Tue, 13 Jun 2006 11:37:36 +0200
On 2006-06-13 Chris Buechler wrote:
> If you'd like to mess with the configuration file and figure out how
> to make it work, given some guidance on how to setup the config file
> I'm sure one of the devs would get this coded into the GUI (I'd make
> sure of it).

Hi Chris,

I think it is not enough to play with racoon.conf.
Unfortunately there is very little information about IPSec in FreeBSD
but ipsec-tools building and configuration hopefully is 
system-independent. But Kernel configuration may not.

I've searched and found some facts that are necessary to cover when 
implementing such features. Some of them may have been already 
discussed, but I hope that this helps to enhance IPSec support in m0n0wall.
Most of the infos provided below was found here (1).


So a long description follows which quite sure does not cover all facts:

Afaik there are at least five things to cover:

1. Enable kernel support for IPSec with NAT-T with:
options IPSEC
options IPSEC_ESP
options IPSEC_NAT_T

Currently the fast_ipsec option is used in kernel configuration which 
enables hardware crypto support. I don't think that this can be kept 
because it is incompatible to the new kame/ipsec-tools features.


2. Build ipsec-tools with NAT-T and Dead Peer Detection support:
ipsec-tools build flags:
--enable-natt \
--enable-dpd \


3. racoon.conf
NAT-Traversal specific options:

nat_traversal	on|off|force
On will use NAT traversal as soon as a NAT device is detected on the path
Off will disable this behavior
With force NAT traversal will be used regardless wether a NAT device is
found or not.

natt_keepalive default = 20seconds, 0 = off
Helps to keep NAT sessions alive on intermediate routers

For Dead-Peer I found this:
dpd_delay 20;			# DPD poll every 20 seconds

I'm unsure if the listen section of raccon also has to be modified to
accept transmissions on port UDP/4500 for NAT-T. Currently m0n0wall uses
no listen section in its raccon.conf.

There is also a NAT-T specific example after installing the ipsec-tools
port:
%%EXAMPLESDIR%%/racoon.conf.sample-natt

As soon as NAT-T is enabled it may lead to problems with fragmentation.
With these raccon options on ike and esp fragmentation is disabled.

ike_frag on;
esp_frag 552;

It probably uses some PMTU mechanism but I didn't found anything about
that. But PMTU must be enabled in m0n0wall. For TCP we have to use some 
MSS clamping stuff in IP Nat
This leads to the next step:


4. IP Filter/IP NAT confiuration
As soon as NAT-T is enabled the filter has to maintain the UDP packets.
Regarding the fragmentation problem we have to add NAT configuration for
ESP packets when NAT-T is enabled. This is done with sth. like

map ex0 <internal network> -> 0/0 mssclamp 552

m0n0wall does mssclamping atm so we only have to reduce the current
values if NAT-T is enabled. However I don't know how the MSS clamping
patches by Fred Wright and Manuel Kasper may interfere with that.
Of course it also depends on the (dialup-) line the box uses.


5. m0n0wall configuration
For configurable options/implementation in m0n0wall I suggest to make
-Dead Peer Detection enabled as default for aggressive tunnels (generate
the dpd_delay option)

-Dead Peer Detection enabled as default for the Mobile Clients setup
(remote anonymous section in racoon.conf)

-Dead Peer Detection timing globally configurable in System->Advanced
(below old SA preferel option) with a seconds field (shouldn't ever be
0, default 20). This value is used for the both points above.

For NAT-T I'm unsure how to implement but would also prefer a global
option and only enable it for aggressive tunnels.
Also make the 'force' option either configurable or never use it.
Most important thing is to not break communication with too 
big/fragmented packets. So the fragmentation features of raccon and IP 
Nat have to be used.


Any comments and additions welcome

-Bjoern

(1) Resources:
http://www.netbsd.org/Documentation/network/ipsec/rasvpn.html
http://www.netbsd.org/Documentation/network/ipsec/
http://www.ipsec-howto.org/x299.html
http://asherah.dyndns.org/~josh/ipsec-howto.txt