Anyone using mobile IPsec?

[Lee Sharp]

I have had two reports of problems with mobile IPsec on SmallWall since the b567 upgrade to allow l2tp.  As we share this code exactly, I wanted to get more eyes on it.  Is anyone using mobile IPsec on t1n1wall successfully?

[andywhite]

what are the reports ?

[Lee Sharp]

You connect fine, but no traffic passes.  Discussion in these two threads;
http://smallwall.freeforums.net/thread/71/mobile-vpn-thegreenbow-smallwall
http://smallwall.freeforums.net/thread/73/m0n0wall-smallwall-migration-ipsec-issue

I am having a hard time replicating it since I do not use mobile IPsec or Windows.   I was trying to find out if anyone was using it successfully since the b576 patch.

[andywhite]

yes it is broken

FYI, mobile IPSEC requires aggressive mode, main mode will require ip addresses as the identifier which isn't workable for mobile IPSEC

l2tp currently breaks ipsec that is in aggressive mode, ONLY when l2tp is enabled, so with it disabled aggressive mode in mobile IPSEC should work

the spd display page has a bug

the work for l2tp patched racoon/setkey/libipsec and the kernel, so mostly like the problem is in one of those patches, which will take a good bit of digging.

[Lee Sharp]

Frankly, I do not see a big reason to fix.  L2tp is a functional replacement for Mobile IPsec, and it is MUCH better supported.  I just need better documentation to say that you have to choose one or the other and configure IPSEC accordingly.

[Lee Sharp]

I have a report of it failing under Aggressive as well.

http://smallwall.freeforums.net/thread/71/mobile-vpn-thegreenbow-smallwall

[andywhite]

to get l2tp working there are a lot of patches.

some of these patches are around NAT environments, where t1n1wall can be behind NAT, and the mobile device can also be behind NAT.  When this is detected, these patches figure out the real and NAT'd address and try to do the right thing.  However, it looks like for mobile ipsec, when racoon tries to create a dynamic policy, it is using the wrong address to create the policy.

From some basic testing today, I can see that the policy it is adding is to encrypt traffic from the client IP to the t1n1wall IP, and not from the client IP to the t1n1wall LAN subnet,  I have modified one of the patches to remove this behavior, and made a new build (b64) for testing

This needs to be tested in 4 environments

1) t1n1wall is behind NAT, and client isn't
2) t1n1wall and client are behind their own NATs
3) client is behind NAT and t1n1wall isn't
4) no NAT between client and server

L2TP should be tested as above and IPSEC tunnels should be tested as working.

Andrew

[Lee Sharp]

I will encourage the people with the problem on SmallWall to come over to this thread and to try your image.

[Gilgamoth]

Has this been tested as working yet? I've just upgraded to 1.10.2b102 and got it stable and tried mobile IPsec for the first time in a long time and it doesn't seem to be working.

[andywhite]

mobile ipsec (not l2tp) should work fine, the bug that caused the problem was fixed.  If it's not working for you, please post some details

[Gilgamoth]

Hi Andy,
My Mobile IPsec config that works under 1.8, didn't work when I moved to 1.10 (as per my bug report). I use it very rarely, so didn't spend too long testing the 1.10 problem as I was having other issues (as per bug report ).