-
Notifications
You must be signed in to change notification settings - Fork 213
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IPSec Transport mode over NAT needed with v3.0.0 #466
Comments
I have discovered I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT it somehow did not been defined on my second compilation. I'll investigate it a little bit more and I'll come back to close this issue if I succeed in using transport mode with 3.0.0 |
Ok, I went as far as removing the #ifndef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT blocks in programs/pluto/spdb_v1_struct.c and programs/pluto/ikev1_quick.c and I still have the error msg. Giving the option to the user of using transport mode despite the security concern is just broken. It doesn't work and as I have explained it is a serious issue because in some context the only usable mode is transport. |
There is no concern with security and transport mode, other than some weirdness of Microsoft with L2TP.
That’s why libreswan killed that compile option years ago and always supports transport mode.
Paul
… On Feb 27, 2021, at 14:17, Olivier Langlois ***@***.***> wrote:
Ok, I went as far as removing the #ifndef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT blocks in
programs/pluto/spdb_v1_struct.c
and
programs/pluto/ikev1_quick.c
an I still have the error msg. Giving the option to the user of using transport mode despite the security concern is just broken. It doesn't work and as I have explained it is a serious issue because in some context the only usable mode is transport.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
thx for the answer Paul. can libreswan be an easy replacement to openswan without having to change too much the config? I ended up being an openswan user because of this wiki page: I did look into strongwan and it did look significantly too different from openswan for considering investing time to replace my working openswan v2.6.56.3 setup... |
It’s a continuation fork, so yes. It is mostly a drop in replacement
https://nohats.ca/wordpress/openswan/
https://nohats.ca/swan.gif
https://libreswan.org/wiki/HOWTO:_openswan_to_libreswan_migration
Paul
…
On Feb 28, 2021, at 13:48, Olivier Langlois ***@***.***> wrote:
thx for the answer Paul. can libreswan be an easy replacement to openswan without having to change too much the config?
I ended up being an openswan user because of this wiki page:
https://wiki.archlinux.org/index.php/Openswan_L2TP/IPsec_VPN_client_setup
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
Oh, i see. I always wondered why you put that in without any explanation or test cases. |
Libreswan no longer supports rawpublickeys in the way that openswan did, you have to do EVERYTHING with libnss, and so it doesn't work very well on embedded systems. If you don't need that, then libreswan is a much better fit. |
I'm pretty sure that was not me who put it in :) |
you are right that all unaudited crypto code from 25 years ago that has seen no security review or gotten FIPS certification was removed. It is known to contain a number of vulnerabilities, like padding attacks, weak E=3 component, etc. I would also not use it on embedded systems..... |
note that we ported libreswan with nss to the Lantronix Xport PRO, which is an embedded 32bit x86 nommu CPU with 16MB of RAM. https://www.lantronix.com/products/xport-pro/ How small is your embedded device? |
https://www.reddit.com/r/archlinux/comments/d7yqjv/libreswan_is_easier_than_openswan/
|
wow. so much help! I am grateful. This is for a desktop that has more likely than not already libnss already installed so memory footprint is not an issue for me. I got 2 issues making the VPN work and doing it the hard way made me force to read a bunch of RFCs, something that I used to enjoy very much. Both issues were at the PPP level:
One last question: Will I still need xelerance l2tpd with libreswan or libreswan has everything needed to create a L2T? |
You still need xl2tpd for L2TP. Note the latest versions don’t work for everyone. Try downgrading if you see issues.
But you should migrate that setup eventually to IKEv2.
…Sent from my iPhone
On Mar 1, 2021, at 14:46, Olivier Langlois ***@***.***> wrote:
wow. so much help! I am grateful.
This is for a desktop that has more likely than not already libnss is already installed so this is not.
I got 2 issues making the VPN work and doing it the hard way made me force to read a bunch of RFCs, something that I used enjoy very much.
Both issues were at the PPP level:
peer was returning the error: Unauthorized remote IP address (Revolved by using ppp option noipdefault)
I was unable to accept peer request to use VJ comp during the IPPC nego (I have found in RFC 2661 why VC comp with L2TP/IPSec is not a good idea...)
One last question: Will I still need xelerance l2tpd with libreswan or libreswan has everything needed to create a L2T?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or unsubscribe.
|
I have tried to upgrade openswan from 2.6.56.3 to 3.0.0 and I had this unpleasant message:
003 "L2TP-PSK" #3: NAT-Traversal: Transport Mode not allowed due to security concerns -- using Tunnel mode. Rebuild Openswan with USE_NAT_TRAVERSAL_TRANSPORT_MODE=true in Makefile.inc to support transport mode.
So, I did try to do what the error message was suggesting to do. I did recompile openswan after making sure that USE_NAT_TRAVERSAL_TRANSPORT_MODE was set to true.
It did change nothing to the outcome. After some investigation, I did try to grep USE_NAT_TRAVERSAL_TRANSPORT_MODE in all c files and all h files and it seems like the only place where the define show up is in the error message text because otherwise it isn't used at all by the code itself.
This is a problem because I am using opeswan to use a L2TP over IPSec VPN and here is what is written in RFC 3193 Securing L2TP using IPSec, Section 2.1 L2TP Security Protocol:
Transport mode MUST be supported; tunnel mode MAY be supported.
It happens that the RFC-compliant VPN gateway that I talk to does not support tunnel mode.
So, I really don't care at all about possible security concerns, if I cannot use the VPN, openswan 3.0.0 is useless to me.
Please make sure that it is possible to use transport mode with NAT.
Thank you
The text was updated successfully, but these errors were encountered: