Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IPSec Transport mode over NAT needed with v3.0.0 #466

Open
lano1106 opened this issue Feb 27, 2021 · 13 comments
Open

IPSec Transport mode over NAT needed with v3.0.0 #466

lano1106 opened this issue Feb 27, 2021 · 13 comments

Comments

@lano1106
Copy link

lano1106 commented Feb 27, 2021

I have tried to upgrade openswan from 2.6.56.3 to 3.0.0 and I had this unpleasant message:

003 "L2TP-PSK" #3: NAT-Traversal: Transport Mode not allowed due to security concerns -- using Tunnel mode. Rebuild Openswan with USE_NAT_TRAVERSAL_TRANSPORT_MODE=true in Makefile.inc to support transport mode.

So, I did try to do what the error message was suggesting to do. I did recompile openswan after making sure that USE_NAT_TRAVERSAL_TRANSPORT_MODE was set to true.

It did change nothing to the outcome. After some investigation, I did try to grep USE_NAT_TRAVERSAL_TRANSPORT_MODE in all c files and all h files and it seems like the only place where the define show up is in the error message text because otherwise it isn't used at all by the code itself.

This is a problem because I am using opeswan to use a L2TP over IPSec VPN and here is what is written in RFC 3193 Securing L2TP using IPSec, Section 2.1 L2TP Security Protocol:

Transport mode MUST be supported; tunnel mode MAY be supported.

It happens that the RFC-compliant VPN gateway that I talk to does not support tunnel mode.

So, I really don't care at all about possible security concerns, if I cannot use the VPN, openswan 3.0.0 is useless to me.

Please make sure that it is possible to use transport mode with NAT.

Thank you

@lano1106
Copy link
Author

I have discovered I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT it somehow did not been defined on my second compilation. I'll investigate it a little bit more and I'll come back to close this issue if I succeed in using transport mode with 3.0.0

@lano1106
Copy link
Author

lano1106 commented Feb 27, 2021

Ok, I went as far as removing the #ifndef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT blocks in

programs/pluto/spdb_v1_struct.c

and

programs/pluto/ikev1_quick.c

and I still have the error msg. Giving the option to the user of using transport mode despite the security concern is just broken. It doesn't work and as I have explained it is a serious issue because in some context the only usable mode is transport.

@letoams
Copy link
Contributor

letoams commented Feb 28, 2021 via email

@lano1106
Copy link
Author

lano1106 commented Feb 28, 2021

thx for the answer Paul. can libreswan be an easy replacement to openswan without having to change too much the config?

I ended up being an openswan user because of this wiki page:
https://wiki.archlinux.org/index.php/Openswan_L2TP/IPsec_VPN_client_setup

I did look into strongwan and it did look significantly too different from openswan for considering investing time to replace my working openswan v2.6.56.3 setup...

@letoams
Copy link
Contributor

letoams commented Feb 28, 2021 via email

@mcr
Copy link
Contributor

mcr commented Feb 28, 2021

There is no concern with security and transport mode, other than some weirdness of Microsoft with L2TP. That’s why libreswan killed that compile option years ago and always supports transport mode. Paul

Oh, i see. I always wondered why you put that in without any explanation or test cases.

@mcr
Copy link
Contributor

mcr commented Feb 28, 2021

thx for the answer Paul. can libreswan be an easy replacement to openswan without having to change too much the config?

Libreswan no longer supports rawpublickeys in the way that openswan did, you have to do EVERYTHING with libnss, and so it doesn't work very well on embedded systems. If you don't need that, then libreswan is a much better fit.

@letoams
Copy link
Contributor

letoams commented Feb 28, 2021

I'm pretty sure that was not me who put it in :)
git tracks the define back to your original git import, so if you want to check your old CVS, you ahead

@letoams
Copy link
Contributor

letoams commented Feb 28, 2021

you are right that all unaudited crypto code from 25 years ago that has seen no security review or gotten FIPS certification was removed. It is known to contain a number of vulnerabilities, like padding attacks, weak E=3 component, etc. I would also not use it on embedded systems.....

@letoams
Copy link
Contributor

letoams commented Feb 28, 2021

note that we ported libreswan with nss to the Lantronix Xport PRO, which is an embedded 32bit x86 nommu CPU with 16MB of RAM. https://www.lantronix.com/products/xport-pro/

How small is your embedded device?

@letoams
Copy link
Contributor

letoams commented Mar 1, 2021

https://www.reddit.com/r/archlinux/comments/d7yqjv/libreswan_is_easier_than_openswan/

So for l2tp, the arch wiki recommends Openswan. I made it work and I learned a lot, but today
I had to configure the VPN client again and I used Libreswan + NetworkManager +
NetworkManager-Libreswan plugin and it was a *trivial* configuration effort.

I post this here in case someone is looking for Openswan alternatives for arch.

Maybe it was easier to set up because I already had to understand the mysteries of IPsec;
I'll never know.

@lano1106
Copy link
Author

lano1106 commented Mar 1, 2021

wow. so much help! I am grateful.

This is for a desktop that has more likely than not already libnss already installed so memory footprint is not an issue for me.

I got 2 issues making the VPN work and doing it the hard way made me force to read a bunch of RFCs, something that I used to enjoy very much.

Both issues were at the PPP level:

  1. peer was returning the error: Unauthorized remote IP address (Revolved by using ppp option noipdefault)
  2. I was unable to accept peer request to use VJ comp during the IPPC nego (I have found in RFC 2661 why VJ comp with L2TP/IPSec is not a good idea...)

One last question: Will I still need xelerance l2tpd with libreswan or libreswan has everything needed to create a L2T?

@letoams
Copy link
Contributor

letoams commented Mar 1, 2021 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants