[Vpn-devel] Cisco UDP Encapsulation

Robert Nelson robertn at the-nelsons.org
Sun Feb 1 14:14:00 CST 2009 

----- Original Message ----- 
From: "Matthew Grooms" <mgrooms at shrew.net>
To: "Robert Nelson" <robertn at the-nelsons.org>
Cc: <vpn-devel at lists.shrew.net>
Sent: Sunday, February 01, 2009 11:25 AM
Subject: Re: [Vpn-devel] Cisco UDP Encapsulation


> Robert Nelson wrote:
>> I'm trying to add support for Cisco's proprietary UDP encapsulation.
>>  It differs from NAT-T in the following ways:
>>     Gateway port is negotiated using xconfig instead of using port 4500.
>>     ISAKMP traffic stays on port 500.
>>     Keepalives are single byte UDP packets with 0xFF
>>     ESP header immediately follows UDP header.
>>  I have all the configuration work done.  I'm having a bit of a problem 
>> deciphering what to change in the code to get the ESP traffic to use UDP 
>> protocol packets instead of ESP protocol packets.
>>  I would appreciate any pointers.
>>
>
> Robert,
>
> This is would be very tricky to accomplish unless the UDP encapsulation 
> format is identical to one of the formats described in these documents ...
>
> http://www.shrew.net/support/browser/ike/head/docs/draft-ietf-ipsec-udp-encaps-00.txt
> http://www.shrew.net/support/browser/ike/head/docs/draft-ietf-ipsec-udp-encaps-02.txt
> http://www.shrew.net/support/browser/ike/head/docs/rfc3948.txt
>
> On platforms like BSD and Linux, the client only provides IKE services and 
> client front end utilities. It uses the PF_KEY mechanism to manage the 
> kernel security policies and security associations. The SPs/SAs are used 
> by the OS kernel IPsec support to protect the traffic. In other words, 
> Shrew Soft doesn't provide custom code to process ESP/AH traffic.
>
> On Windows platforms, the client provides IKE services, custom IPsec 
> packet processing ( the source code for this module is not available to 
> the general public ), and client front end utilities. To make the code as 
> portable as possible, a PF_KEY kernel side interface is implemented by the 
> Shrew Soft IPsec service. This allows the IKE daemon to manage SPs/SAs in 
> the same manner it would as if it were running on a *nix platform. The 
> only difference is that it communicates over a named pipe instead of a 
> PF_KEY socket.
>
> To make matters more complicated, the PF_KEY extensions used to manage a 
> NAT-T security association are not fully documented in any RFC or draft 
> that I am aware of. The implementation details even differ currently on 
> BSD vs Linux in this regard. Luckily, Yvan ( ipsec-tools ) is working to 
> correct these differences and hopefully document the requirements so we 
> can all be on the same page.
>
> Now that you know some of the gory details, the code used to manage the 
> SP/SA database is contained in the ike.io.pfkey.cpp file. It makes calls 
> into libpfkey which is a very thin wrapper around the PF_KEY socket calls 
> on *nix or named pipes on Windows. To actually add a new type of UDP 
> encapsulation ( assuming the format isn't compatible with one of the 
> formats described in the documents above ), you would need to define a 
> socket option ( defined in the system udp.h and set on the IKE socket in 
> ike.socket.cpp ) and provide kernel source patches that handle the new 
> packet format.
>
> If the UDP format does match one of existing packet formats, then the only 
> changes required would be in the IKE sources. From your brief description 
> above, I would venture to guess that the rfc3948 ESP packet format may 
> possibly work ( UDP header immediately followed by an ESP header ). You 
> may be able set the correct option on a dummy socket bound to the 
> negotiated encapsulated port and modify the IKE daemon to not migrate away 
> from port 500 for IKE traffic. This way the UDP/ESP packets will still be 
> processed by the kernel. It would simply never forward any received 
> packets to userland ( normally multiplexed on the same port as UDP/ESP ) 
> because they would never contain a NON-ESP marker. Have a look at the RFC 
> document for more details.
>
> Hope this helps,
>
> -Matthew
>


Yep that helped a lot.  I have it working!  I was so close and heading in 
the right direction, your explanation pointed me to the one piece I was 
missing.

More information about the vpn-devel mailing list