[Ipsec-tools-devel] two hosts both behind NAT's not able to connect

Discussion:

[Ipsec-tools-devel] two hosts both behind NAT's not able to connect - isakmp header is too big

Brad Rubenstein

2004-08-05 20:55:50 UTC

I'm seeing an error I don't see anyone else getting:

I have two Fedora Core 2 boxes running IPSEC 0.3.3, each behind a Linksys
router with NAT, and I want to bridge the two private networks together.
Seemed pretty straightforward, I thought.

HOST1 LINKSYS ROUTER+NAT LINKSYS ROUTER+NAT
HOST2
192.168.1.2 -> 192.168.1.1+24.6.117.151 ->...->
66.108.19.182+192.168.2.1 -> 192.168.2.3

When the SPD policies are set and racoon is started on both sides, and I try
to ping host2 from host1, I get this in the error log:
2004-08-05 13:52:45: ERROR: the length in the isakmp header is too big.

The rest of the negotiation is error-free (I'm not going to post volumes of
log info yet, but if anyone thinks it might help, I'm happy to do so).
IPSEC-passthru is disabled on both LINKSYS boxes.

I'm stuck there. Can anyone help me?

Brad Rubenstein
***@BradRubenstein.com

========================== setkey and racoon.conf for each host
=====================

Host 1: 192.168.1.2
Kernel on host 1: kernel-2.6.7-1.494.2.2 (fedora core 2)
Host 1 has these policies:
spdadd 192.168.1.0/24 192.168.2.0/24 any -P out ipsec
esp/tunnel/192.168.1.2-66.108.19.182/require;
spdadd 192.168.2.0/24 192.168.1.0/24 any -P in ipsec
esp/tunnel/66.108.19.182-192.168.1.2/require;

Host 2: 192.168.2.3
Kernel 2.6.6-1.435.2.3 (from fedora core 2)
Host 2 has these policies:
spdadd 192.168.1.0/24 192.168.2.0/24 any -P in ipsec
esp/tunnel/24.6.117.151-192.168.2.3/require;
spdadd 192.168.2.0/24 192.168.1.0/24 any -P out ipsec
esp/tunnel/192.168.2.3-24.6.117.151/require;

racoon.conf on Host 1 and Host 2 are identical:
===================================================
path include "/etc/racoon";
path certificate "/usr/share/ssl/certs";
timer
{
natt_keepalive 10 sec;
}
remote anonymous
{
exchange_mode main,base,aggressive;
my_identifier asn1dn;
certificate_type x509 "www.unclebrad.com.pem" "www.unclebrad.com.pem
";
nat_traversal on;
proposal {
authentication_method rsasig;
encryption_algorithm 3des;
hash_algorithm sha1;
dh_group 2;
}
proposal_check obey;
}
sainfo anonymous
{
pfs_group 2;
lifetime time 12 hour;
encryption_algorithm 3des, rijndael;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
=====================================================

Michal Ludvig

2004-08-05 22:32:47 UTC

Permalink

Post by Brad Rubenstein
I have two Fedora Core 2 boxes running IPSEC 0.3.3, each behind a Linksys
router with NAT, and I want to bridge the two private networks together.
Seemed pretty straightforward, I thought.
HOST1 LINKSYS ROUTER+NAT LINKSYS ROUTER+NAT
HOST2
192.168.1.2 -> 192.168.1.1+24.6.117.151 ->...->
66.108.19.182+192.168.2.1 -> 192.168.2.3

Does it mean that you have a port forwarding or something on the routers?
Or how do you enable incomming connections to the inside hosts?

Post by Brad Rubenstein
When the SPD policies are set and racoon is started on both sides, and I try
2004-08-05 13:52:45: ERROR: the length in the isakmp header is too big.

Hmm, this shouldn't happen because of the misconfiguration. What OpenSSL
do you use?

Post by Brad Rubenstein
The rest of the negotiation is error-free (I'm not going to post volumes of
log info yet, but if anyone thinks it might help, I'm happy to do so).

So do the racoons finally negotiate something or not?
Could you post a terse log at least (run racoon -v).

Post by Brad Rubenstein
IPSEC-passthru is disabled on both LINKSYS boxes.

What is "IPSEC-passthrough" supposed to do? (I don't have any experience
with Linksys routers)

Michal Ludvig

--
* A mouse is a device used to point at the xterm you want to type in.
* Personal homepage - http://www.logix.cz/michal

Brad Rubenstein

2004-08-07 04:57:05 UTC

Permalink

More data: I'm looking at racoon isakmp data under gdb, and it looks like all isakmp_natt packets coming into racoon are trash at the time they are read off the pipe in isakmp_handler.

Breakpoint 1, plog (pri=4, func=0x8092b80 "isakmp.c:225:isakmp_handler()",
sa=0x0, fmt=0x807e934 "the length in the isakmp header is too big.\n")
at plog.c:138
138 va_start(ap, fmt);
(gdb) up
#1 0x0804be79 in isakmp_handler (so_isakmp=9) at isakmp.c:225
225 plog(LLV_ERROR, LOCATION, NULL,
(gdb) p isakmp
$1 = {i_ck = "\006Ü\213©\000\000\000\004", r_ck = "û\vx£1\223s\227",
np = 226 'â', v = 224 'à', etype = 55 '7', flags = 13 '\r',
msgid = 1573560306, len = 2586529492}
(gdb) p extralen
$2 = 0

Is extralen supposed to be zero?

Ethereal shows the packets as ESP encapsulated in UDP (as I'd expect), which means they need to be decrypted, yes?

Could the keys be wrong? Could the decryption and de-encapsulation be stepping on each other? Am I going about this the wrong way?

Any suggestions or advice, as always, most welcome.

Regards,
Brad Rubenstein

----- Original Message -----
From: "Michal Ludvig" <***@logix.cz>
To: "Brad Rubenstein" <***@bradrubenstein.com>
Cc: <ipsec-tools-***@lists.sourceforge.net>
Sent: Thursday, August 05, 2004 3:32 PM
Subject: Re: [Ipsec-tools-devel] two hosts both behind NAT's not able to connect - isakmp header is too big

Post by Michal Ludvig

Does it mean that you have a port forwarding or something on the routers?
Or how do you enable incomming connections to the inside hosts?

Post by Brad Rubenstein
When the SPD policies are set and racoon is started on both sides, and I try
2004-08-05 13:52:45: ERROR: the length in the isakmp header is too big.

Hmm, this shouldn't happen because of the misconfiguration. What OpenSSL
do you use?

Post by Brad Rubenstein
The rest of the negotiation is error-free (I'm not going to post volumes of
log info yet, but if anyone thinks it might help, I'm happy to do so).

So do the racoons finally negotiate something or not?
Could you post a terse log at least (run racoon -v).

Post by Brad Rubenstein
IPSEC-passthru is disabled on both LINKSYS boxes.

What is "IPSEC-passthrough" supposed to do? (I don't have any experience
with Linksys routers)
Michal Ludvig
--
* A mouse is a device used to point at the xterm you want to type in.
* Personal homepage - http://www.logix.cz/michal
-------------------------------------------------------
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
_______________________________________________
Ipsec-tools-devel mailing list
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel

Brad Rubenstein

2004-08-07 18:08:05 UTC

Permalink

A basic question, before I go off and try to debug the racoon code, only to find my kernel is misconfigured (ha!).

Does anyone have a working IPSEC/racoon installation creating a tunnel bridging two linux FC2 hosts both of which are behind NAT routers? ( net1 <-> host1 <-> NATrouter1 <-> internet <-> NATrouter2 <-> host2 <-> net2 ).

If so, would you be willing to share with me your setkey and racoon configurations? Did you have to customize the stock kernel?

Thanks!

Brad Rubenstein
***@BradRubenstein.com
----- Original Message -----
From: Brad Rubenstein
To: Michal Ludvig
Cc: ipsec-tools-***@lists.sourceforge.net
Sent: Friday, August 06, 2004 9:57 PM
Subject: Re: [Ipsec-tools-devel] two hosts both behind NAT's not able to connect - isakmp header is too big

More data: I'm looking at racoon isakmp data under gdb, and it looks like all isakmp_natt packets coming into racoon are trash at the time they are read off the pipe in isakmp_handler.

Breakpoint 1, plog (pri=4, func=0x8092b80 "isakmp.c:225:isakmp_handler()",
sa=0x0, fmt=0x807e934 "the length in the isakmp header is too big.\n")
at plog.c:138
138 va_start(ap, fmt);
(gdb) up
#1 0x0804be79 in isakmp_handler (so_isakmp=9) at isakmp.c:225
225 plog(LLV_ERROR, LOCATION, NULL,
(gdb) p isakmp
$1 = {i_ck = "\006Ü\213©\000\000\000\004", r_ck = "û\vx£1\223s\227",
np = 226 'â', v = 224 'à', etype = 55 '7', flags = 13 '\r',
msgid = 1573560306, len = 2586529492}
(gdb) p extralen
$2 = 0

Is extralen supposed to be zero?

Ethereal shows the packets as ESP encapsulated in UDP (as I'd expect), which means they need to be decrypted, yes?

Could the keys be wrong? Could the decryption and de-encapsulation be stepping on each other? Am I going about this the wrong way?

Any suggestions or advice, as always, most welcome.

Regards,
Brad Rubenstein

----- Original Message -----
From: "Michal Ludvig" <***@logix.cz>
To: "Brad Rubenstein" <***@bradrubenstein.com>
Cc: <ipsec-tools-***@lists.sourceforge.net>
Sent: Thursday, August 05, 2004 3:32 PM
Subject: Re: [Ipsec-tools-devel] two hosts both behind NAT's not able to connect - isakmp header is too big

Post by Michal Ludvig

Does it mean that you have a port forwarding or something on the routers?
Or how do you enable incomming connections to the inside hosts?

Post by Brad Rubenstein
When the SPD policies are set and racoon is started on both sides, and I try
2004-08-05 13:52:45: ERROR: the length in the isakmp header is too big.

Hmm, this shouldn't happen because of the misconfiguration. What OpenSSL
do you use?

Post by Brad Rubenstein
The rest of the negotiation is error-free (I'm not going to post volumes of
log info yet, but if anyone thinks it might help, I'm happy to do so).

So do the racoons finally negotiate something or not?
Could you post a terse log at least (run racoon -v).

Post by Brad Rubenstein
IPSEC-passthru is disabled on both LINKSYS boxes.