Sunday, April 4, 2010

ipsec-tools fix for Nokia VPN NAT-T

Nokia NAT-T is not compatible with the linux ipsec-tools. More info can be found in this ticket in the ipsec bug tracker.
An ugly hack which fixes this problem is provided at Nokia VPN (N97) -> raccon -> Nat-T. Since this is the only fix available, we'll go with ugly ...

Basically, the racoon daemon has to be complied without RFC nat-t support and one source line has to be changed.

I will spell out the procedures outlined above:

Using actual "raw" sources

To compile from source, get the ipsec-tools tarball from the ipsec-tools project page.

for compilation I used the following configure options:
./configure \
--enable-hybrid \
--enable-frag \
--enable-gssapi \
--enable-stats \
--enable-dpd \
--enable-fastquit \
--disable-ipv6 \
--enable-natt \
--enable-natt-versions=0,1,2,3,4,5,6,7,8 \
--enable-security-context=kernel
note the "--enable-natt-versions=0,1,2,3,4,5,6,7,8" switch

before compiling change one line in the file ipsec-tools-0.7.1/src/racoon/nattraversal.c:
--- ipsec-tools-0.7.1/src/racoon/nattraversal.c 2009-12-15 08:01:36.000000000 +0100
+++ ipsec-tools-0.7.1.patched/src/racoon/nattraversal.c 2009-10-11 13:39:36.000000000 +0200
@@ -314,7 +314,7 @@
return;
}

- if (iph1->natt_options->version < vid_numeric)
+ if (iph1->natt_options->version == 0)
if (natt_fill_options (iph1->natt_options, vid_numeric) == 0)
iph1->natt_flags |= NAT_ANNOUNCED;
}

You can now compile and install. The resulting racoon daemon will now accept nat-t connections from a Nokia VPN client

Using Debian sources

apt-get install devscripts build-essential fakeroot
apt-get build-dep racoon
apt-get source racoon
cd ipsec-tools*
dch -l local nokia
  • edit debian/rules and add the --enable-natt-versions=0,1,2,3,4,5,6,7,8 option to configure
  • patch src/racoon/nattraversal.c as per above
debuild -us -uc
dpkg -i ../*.deb