[ previous ] [ next ] [ threads ]
 From:  "Marek Läll" <marek dot lall at neti dot ee>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: Re: IPSEC Mobile Clients Error
 Date:  Fri, 28 Sep 2007 22:16:21 +0300
On 9/25/07, "Chris Buechler" <cbuechler at gmail dot com> wrote
> I don't personally use mobile IPsec, but I know of people who do, and
> are using NAT-T with no issues.

Can you comment the errors that I got with NAT-T (check posting with
subject "1.3b3; NAT-T IP fragments not passed")

"Server" is m0n0wall (1.3b4) and "mobile client" is also m0n0wall (1.3b4)
Authentication method is "RSA Signature"

NAT-T IPSec works as long as packets are small (example: you do ping etc...)
But if packets are big enough and encapsulating UDP packets become 
(example: you do microsoft remote desktop) then RDP stops working because
"mobile client" m0n0wall drop UDP fragments. ping in another window is 
working fine
at the same time.

"Server" has log entires:
    racoon: ERROR: none message must be encrypted
    racoon: ERROR: x.x.x.x give up to get IPsec-SA due to time up to wait.

"Mobile client" has log entires:
    racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, ...

"Mobile client" has several firewall entires (no  ports after IP addresses):
    Act   Time   If   Source   Destination   Proto
    DROP  <time> WAN <server ip> <mobile client IP> UDP

I was not able to add any firewall rule to stop dropping of UDP fragments
Also, playing with checkbox'es like "Allow fragmented IPsec packets" did not 

If anybody is willing to investigate this issue I am ready to set up 
repeateable test case
based on vmware virtual machines.