On 9/25/07, "Chris Buechler" <cbuechler at gmail dot com> wrote
> I don't personally use mobile IPsec, but I know of people who do, and
> are using NAT-T with no issues.
Can you comment the errors that I got with NAT-T (check posting with
subject "1.3b3; NAT-T IP fragments not passed")
"Server" is m0n0wall (1.3b4) and "mobile client" is also m0n0wall (1.3b4)
Authentication method is "RSA Signature"
NAT-T IPSec works as long as packets are small (example: you do ping etc...)
But if packets are big enough and encapsulating UDP packets become
(example: you do microsoft remote desktop) then RDP stops working because
"mobile client" m0n0wall drop UDP fragments. ping in another window is
at the same time.
"Server" has log entires:
racoon: ERROR: none message must be encrypted
racoon: ERROR: x.x.x.x give up to get IPsec-SA due to time up to wait.
"Mobile client" has log entires:
racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, ...
"Mobile client" has several firewall entires (no ports after IP addresses):
Act Time If Source Destination Proto
DROP <time> WAN <server ip> <mobile client IP> UDP
I was not able to add any firewall rule to stop dropping of UDP fragments
Also, playing with checkbox'es like "Allow fragmented IPsec packets" did not
If anybody is willing to investigate this issue I am ready to set up
repeateable test case
based on vmware virtual machines.