IPSEC and NAT-T problem

rpress · July 21, 2009, 3:13pm

I have a VPN from Windows 7 laptop to MikroTik using L2TP/IPSEC with NAT-T. It works without NAT-T but it has a strange error using NAT-T:

14:59:28 ipsec respond new phase 1 negotiation: 68.183.xxx.xxx[500]<=>67.169.xxx.xxx[500] 
14:59:28 ipsec begin Identity Protection mode. 
14:59:28 ipsec received broken Microsoft ID: MS NT5 ISAKMPOAKLEY 
14:59:28 ipsec received Vendor ID: RFC 3947 
14:59:28 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 
14:59:28 ipsec 
14:59:28 ipsec received Vendor ID: FRAGMENTATION 
14:59:28 ipsec Selected NAT-T version: RFC 3947 
14:59:28 ipsec invalid DH group 20. 
14:59:28 ipsec invalid DH group 19. 
14:59:28 ipsec Hashing 68.183.xxx.xxx[500] with algo #2  
14:59:28 ipsec NAT-D payload #0 verified 
14:59:28 ipsec Hashing 67.169.xxx.xxx[500] with algo #2  
14:59:28 ipsec NAT-D payload #1 doesn't match 
14:59:28 ipsec NAT detected: PEER 
14:59:28 ipsec Hashing 67.169.xxx.xxx[500] with algo #2  
14:59:28 ipsec Hashing 68.183.xxx.xxx[500] with algo #2  
14:59:28 ipsec Adding remote and local NAT-D payloads. 
14:59:28 ipsec NAT-T: ports changed to: 67.169.xxx.xxx[4500]<->68.183.xxx.xxx[4500] 
14:59:28 ipsec KA list add: 68.183.xxx.xxx[4500]->67.169.xxx.xxx[4500] 
14:59:28 ipsec ISAKMP-SA established 68.183.xxx.xxx[4500]-67.169.xxx.xxx[4500] spi:4ad7f89178310abd:5ca6f63efdbf1
b79 
14:59:28 ipsec respond new phase 2 negotiation: 68.183.xxx.xxx[4500]<=>67.169.xxx.xxx[4500] 
14:59:28 ipsec Update the generated policy : 192.168.1.101/32[1701] 68.183.xxx.xxx/32[1701] proto=udp dir=in 
14:59:28 ipsec Adjusting my encmode UDP-Transport->Transport 
14:59:28 ipsec Adjusting peer's encmode UDP-Transport(4)->Transport(2) 
14:59:28 ipsec IPsec-SA established: ESP/Transport 67.169.xxx.xxx[4500]->68.183.xxx.xxx[4500] spi=76079680(0x488e
240) 
14:59:28 ipsec IPsec-SA established: ESP/Transport 68.183.xxx.xxx[4500]->67.169.xxx.xxx[4500] spi=4062236856(0xf2
20d0b8) 
14:59:28 ipsec the length in the isakmp header is too big. 
14:59:29 ipsec the length in the isakmp header is too big. 
14:59:31 ipsec the length in the isakmp header is too big. 
14:59:35 ipsec the length in the isakmp header is too big.

Any ideas about “the length in the isakmp header is too big.” ???

rpress · July 21, 2009, 4:01pm

It seems the tunnel is established correctly, but the kernel is not capturing the tunneled packets and is instead letting them go through to racoon. They’re not a valid isakmp packet so racoon says the length is wrong.

andrewluck · July 26, 2009, 8:50pm

I’ve got a support ticket open for this issue. Nothing back yet apart from ‘we’re looking at it’.

In my case I worked around the problem by turning off NAT-T and just passing ESP across the intermediate NAT device. Your milage may vary as this depends upon the NAT device being able to keep track of the ESP connections.

Kind regards

Andrew

rpress · July 27, 2009, 7:26pm

Thanks Andrew. Unfortunately for me the client is a roadwarrior so there is no access to the client NAT.

I’m not sure if this is a kernel issue or a racoon issue but some other distros have this problem as well.

sergejs · October 2, 2009, 12:29pm

Thank you very much for the report.
Perhaps we will need you help.
It seems we were able to track that issue once again. We are looking for the way how to fix the problem.

rpress · October 2, 2009, 4:25pm

That’s fantastic you are looking into the issue. I don’t know how to fix the problem but I will see if I can come up with anything.

williamm · October 20, 2009, 1:58am

Hi,

I’m Experiencing exactly the same problem. RouterOS version is 3.20.

The L2TP/IPSEC client is a Vista SP2 computer and is behind a NAT device (Dlink DI-624). The L2TP/IPSEC server is the Mikrotik with Public IP and NAT-T enabled.

The log shows the same error: ipsec the length in the isakmp header is too big

rga · October 22, 2009, 1:24pm

No connection to this “feature”?

The default behavior of IPsec NAT traversal (NAT-T) is changed in Windows XP Service Pack 2
http://support.microsoft.com/kb/885407/en-us

How to configure an L2TP/IPsec server behind a NAT-T device in Windows Vista and in Windows Server 2008
http://support.microsoft.com/kb/926179/en-us

rpress · October 22, 2009, 4:26pm

I believe the change Microsoft implemented only applies when the server is behind NAT. My server is not behind NAT, just the client is.

williamm · October 29, 2009, 1:29am

Exactly, this Microsoft changing only should affect NAT servers but in my case also the server has a public IP so only the client is behind a NAT.

Besides that, I’ve tried to change the client to a XP SP1 machine and the problem persists.

Is there anyone who tried with the new v4.x software? Mine has been upgraded to v3.30 with no success.

Best Regards,

William.

sergejs · December 4, 2009, 8:29am

Fix for the problem will be included in version 4.4. Thank you very much for your reports.
If anyone will have the problem with ISAKMP header, please let us know.

rpress · December 4, 2009, 3:28pm

Woohoo! Thank you! Now for L2TP/IPSEC the L2TP is still somewhat broken, it responds on the wrong IP…

http://forum.mikrotik.com/t/problems-with-vpn/28324/1

rpress · December 24, 2009, 9:29pm

I just tested the IPSEC NAT-T and it is indeed working in v4.4.

williamm · January 3, 2010, 1:15am

Well, I’ve just tried with v4.4 but with no success.

Please “rpress” did you need to configure anything in /ip ipsec policy? I did not put anything there because I’ve let the /ip ipsec peer with Gererate Policy enabled.

When connecting, the RouterOs creates two Installed SAs with the Public IP’s either from server and client normally. But it creates only one Policy using the Natted client IP as source and Public server IP as destination.

The log shows: packet shorter than isakmp headre size

Best Regards,

William.

roadracer96 · January 4, 2010, 6:22pm

IPSEC NAT-T works properly, but L2TP responds outside of the tunnel, so it jus tbangs the firewall of the client.

sergejs · January 7, 2010, 9:38am

williamm, original error was different. Please, give more information about your setup, what device you have on the other end?
What is the configuration for /ip ipsec peer on MikroTik RouterOS?

williamm · January 9, 2010, 5:45pm

sergejs,

The RouterOS device is a Soekris x86 SBC model NET4501. It’s running the L2TP/IPSec server with the following IPSec config:

/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m
name=default pfs-group=modp1024

/ip ipsec peer
add address=0.0.0.0/0:500 auth-method=pre-shared-key dh-group=modp1024
disabled=no dpd-interval=disable-dpd dpd-maximum-failures=1
enc-algorithm=3des exchange-mode=main generate-policy=yes hash-algorithm=
sha1 lifebytes=0 lifetime=1d nat-traversal=yes proposal-check=obey secret=
“12345” send-initial-contact=no

The L2TP/IPSec client is a Windows Vista SP2 laptop connected to the Internet with dynamic IP and using a Wireless Router Dlink DI-624 with NAT enabled. I’ve tried also to connect the laptop directly to the public IP (not via the natted wireless router) and removing the NAT-T from RouterOS and this way it works perfectly.

Best Regards,

Wiliam.

sergejs · January 11, 2010, 1:05pm

Post exact error that you have in /log print.

williamm · January 16, 2010, 8:22pm

sergejs,

Here is my /log print:

18:12:06 ipsec respond new phase 1 negotiation: 189.19.xxx.xxx[500]<=>201.1.xxx.xxx[500]
18:12:06 ipsec begin Identity Protection mode.
18:12:06 ipsec received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
18:12:06 ipsec received Vendor ID: RFC 3947
18:12:06 ipsec received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
18:12:06 ipsec
18:12:06 ipsec received Vendor ID: FRAGMENTATION
18:12:06 ipsec Selected NAT-T version: RFC 3947
18:12:06 ipsec invalid DH group 20.
18:12:06 ipsec invalid DH group 19.
18:12:06 ipsec Hashing 189.19.86.219[500] with algo #2
18:12:06 ipsec NAT-D payload #0 verified
18:12:06 ipsec Hashing 201.1.105.73[500] with algo #2
18:12:06 ipsec NAT-D payload #1 doesn’t match
18:12:06 ipsec NAT detected: PEER
18:12:07 ipsec Hashing 201.1.xxx.xxx[500] with algo #2
18:12:07 ipsec Hashing 189.19.xxx.xxx[500] with algo #2
18:12:07 ipsec Adding remote and local NAT-D payloads.
18:12:07 ipsec NAT-T: ports changed to: 201.1.xxx.xxx[60052]<->189.19.xxx.xxx[4500
]
18:12:07 ipsec KA list add: 189.19.xxx.xxx[4500]->201.1.xxx.xxx[60052]
18:12:07 ipsec ISAKMP-SA established 189.19.xxx.xxx[4500]-201.1.xxx.xxx[60052] spi
:a98aeec3c010dc6d:6d9f0d8a225f8f17
18:12:08 ipsec respond new phase 2 negotiation: 189.19.xxx.xxx[4500]<=>201.1.xxx.xxx[60052]
18:12:08 ipsec no policy found, try to generate the policy : 10.0.2.3/32[1701] 1
89.19.86.219/32[1701] proto=udp dir=in
18:12:08 ipsec Adjusting my encmode UDP-Transport->Transport
18:12:08 ipsec Adjusting peer’s encmode UDP-Transport(4)->Transport(2)
18:12:08 ipsec trns_id mismatched: my:3DES peer:AES
18:12:08 ipsec not matched
18:12:08 ipsec Adjusting my encmode UDP-Transport->Transport
18:12:08 ipsec trns_id mismatched: my:3DES peer:AES
18:12:08 ipsec not matched
18:12:08 ipsec Adjusting peer’s encmode UDP-Transport(4)->Transport(2)
18:12:08 ipsec the length in the isakmp header is too big.
18:12:08 ipsec IPsec-SA established: ESP/Transport 201.1.xxx.xxx[60052]->189.19.xxx.xxx[4500] spi=207874013(0xc63e7dd)
18:12:08 ipsec IPsec-SA established: ESP/Transport 189.19.xxx.xxx[4500]->201.1.xxx.xxx[60052] spi=2053995087(0x7a6d7a4f)
18:12:09 ipsec the length in the isakmp header is too big.
18:12:11 ipsec the length in the isakmp header is too big.
18:12:15 ipsec the length in the isakmp header is too big.
18:12:23 ipsec the length in the isakmp header is too big.
18:12:28 ipsec packet shorter than isakmp header size (5, 3063842135, 28)
18:12:33 ipsec the length in the isakmp header is too big.
18:12:43 ipsec generated policy, deleting it.
18:12:43 ipsec get a src address from ID payload 10.0.2.3[1701] prefixlen=32 ul_
proto=17
18:12:43 ipsec get dst address from ID payload 189.19.xxx.xxx[1701] prefixlen=32
ul_proto=17
18:12:43 ipsec pfkey spddelete(inbound) sent.
18:12:43 ipsec purged IPsec-SA proto_id=ESP spi=2053995087.
18:12:43 ipsec pfkey X_SPDDELETE failed: No such file or directory
18:12:43 ipsec pfkey X_SPDDELETE failed: No such file or directory
18:12:43 ipsec ISAKMP-SA expired 189.19.xxx.xxx[4500]-201.1.xxx.xxx[60052] spi:a98
aeec3c010dc6d:6d9f0d8a225f8f17
18:12:44 ipsec ISAKMP-SA deleted 189.19.xxx.xxx[4500]-201.1.xxx.xxx[60052] spi:a98
aeec3c010dc6d:6d9f0d8a225f8f17
18:12:44 ipsec KA remove: 189.19.xxx.xxx[4500]->201.1.xxx.xxx[60052]

Best Regards,

William.

michalciza2 · January 17, 2010, 10:29pm

Hi there,

Is there anyone has got working Windows L2TP / IPSec when client is behind NAT? (using NAT-T)

I have installed the latest version v4.5 so I was hoping that it would be possible to get connected L2TP/IPSec from Windows or iPhone behind NAT since it was not possible due this error “ipsec the length in the isakmp header is too big.”.

The error is now fixed. Anyway there is still problem that it is not possible to establish L2TP/IPSec connection when the client computer is behind NAT even if NAT-Traversal option is enabled.

L2TP is still redialling because L2TP server is not able to communicate with the client IP because IPSec doesn’t work well.

Here is auto generated IPSec Policy:

src-address=10.0.2.15/32:any dst-address=90.180.35.153/32:any protocol=udp 
     action=encrypt level=require ipsec-protocols=esp tunnel=no sa-src-address=10.0.2.15 
     sa-dst-address=93.190.55.253 proposal=default priority=2

Could be problem in private IP address “10.0.2.15/32” ??
The L2TP server can receive the client’s control message but the client is not able to receive server’s replies.

It would be GREAT if Mikrotik Team could show to all of us, how to get this working. Because I spent really lot of time looking for any working solution, but it seems that the nobody got this working yet. THANKS!