|
||||||||
On 2006-06-13 Chris Buechler wrote: > If you'd like to mess with the configuration file and figure out how > to make it work, given some guidance on how to setup the config file > I'm sure one of the devs would get this coded into the GUI (I'd make > sure of it). Hi Chris, I think it is not enough to play with racoon.conf. Unfortunately there is very little information about IPSec in FreeBSD but ipsec-tools building and configuration hopefully is system-independent. But Kernel configuration may not. I've searched and found some facts that are necessary to cover when implementing such features. Some of them may have been already discussed, but I hope that this helps to enhance IPSec support in m0n0wall. Most of the infos provided below was found here (1). So a long description follows which quite sure does not cover all facts: Afaik there are at least five things to cover: 1. Enable kernel support for IPSec with NAT-T with: options IPSEC options IPSEC_ESP options IPSEC_NAT_T Currently the fast_ipsec option is used in kernel configuration which enables hardware crypto support. I don't think that this can be kept because it is incompatible to the new kame/ipsec-tools features. 2. Build ipsec-tools with NAT-T and Dead Peer Detection support: ipsec-tools build flags: --enable-natt \ --enable-dpd \ 3. racoon.conf NAT-Traversal specific options: nat_traversal on|off|force On will use NAT traversal as soon as a NAT device is detected on the path Off will disable this behavior With force NAT traversal will be used regardless wether a NAT device is found or not. natt_keepalive default = 20seconds, 0 = off Helps to keep NAT sessions alive on intermediate routers For Dead-Peer I found this: dpd_delay 20; # DPD poll every 20 seconds I'm unsure if the listen section of raccon also has to be modified to accept transmissions on port UDP/4500 for NAT-T. Currently m0n0wall uses no listen section in its raccon.conf. There is also a NAT-T specific example after installing the ipsec-tools port: %%EXAMPLESDIR%%/racoon.conf.sample-natt As soon as NAT-T is enabled it may lead to problems with fragmentation. With these raccon options on ike and esp fragmentation is disabled. ike_frag on; esp_frag 552; It probably uses some PMTU mechanism but I didn't found anything about that. But PMTU must be enabled in m0n0wall. For TCP we have to use some MSS clamping stuff in IP Nat This leads to the next step: 4. IP Filter/IP NAT confiuration As soon as NAT-T is enabled the filter has to maintain the UDP packets. Regarding the fragmentation problem we have to add NAT configuration for ESP packets when NAT-T is enabled. This is done with sth. like map ex0 <internal network> -> 0/0 mssclamp 552 m0n0wall does mssclamping atm so we only have to reduce the current values if NAT-T is enabled. However I don't know how the MSS clamping patches by Fred Wright and Manuel Kasper may interfere with that. Of course it also depends on the (dialup-) line the box uses. 5. m0n0wall configuration For configurable options/implementation in m0n0wall I suggest to make -Dead Peer Detection enabled as default for aggressive tunnels (generate the dpd_delay option) -Dead Peer Detection enabled as default for the Mobile Clients setup (remote anonymous section in racoon.conf) -Dead Peer Detection timing globally configurable in System->Advanced (below old SA preferel option) with a seconds field (shouldn't ever be 0, default 20). This value is used for the both points above. For NAT-T I'm unsure how to implement but would also prefer a global option and only enable it for aggressive tunnels. Also make the 'force' option either configurable or never use it. Most important thing is to not break communication with too big/fragmented packets. So the fragmentation features of raccon and IP Nat have to be used. Any comments and additions welcome -Bjoern (1) Resources: http://www.netbsd.org/Documentation/network/ipsec/rasvpn.html http://www.netbsd.org/Documentation/network/ipsec/ http://www.ipsec-howto.org/x299.html http://asherah.dyndns.org/~josh/ipsec-howto.txt |