Jool icon indicating copy to clipboard operation
Jool copied to clipboard

Published 20 hours ago verified publisher icon NICMx

Remote Access VPN throught 464XLAT JOOL

Open aleitonq opened this issue 4 years ago • 5 comments

Hello,

I have a full 464XLAT deployment using Jool (CLAT and PLAT). Everything is working so far, but I realized that remote access VPN has issues, phase 1 is not established. OpenVPN and SSL VPNs are working properly but IPSEC doesn't.

I am using Cisco ASA 5505 and VPN Access Manager Software as a client both have NAT-T enabled.

Has anyone ever establish a Remote Access VPN using this scenario.

aleitonq avatar Jun 25 '20 03:06 aleitonq

(Don't believe anything I say because my understanding of IPsec is very shallow.)

When you say "464XLAT" you mean your PLAT is a Stateful NAT64?

IPsec cannot be translated by a NAT64 for (likely) several reasons. One of them is that it encrypts the TCP/UDP headers the NAT64 needs to compute the state information. (It might work through dual SIITs as opposed to SIIT-NAT64, but don't quote me on it.)

That's the textbook answer. Check this out. It was written by someone much more knowledgeable than me.

ydahhrk avatar Jun 25 '20 14:06 ydahhrk

Hello, thanks for your replay. Exactly I am using Stateless CLAT and Stateful PLAT (NAT64).

I have: LAN (DUAL STACK) -- WAN (DUAL STACK IPv6 / Private IPv4) ---- Jool CLAT (Private IPv4 Gateway ) --- Jool PLAT --- ASA 5505 (VPN PEER).

Communication between End Device and VPN Peer is working properly. But VPN IPSEC Phase 1 (ISAKMP) is not completed at all.

I am looking for some restriction between IPSEC and NAT64. I found in the RFC the following:

Different IPsec modes for VPN services have been tested, including IPsec Authentication Header (AH) and IPsec Encapsulating Security Payload (ESP). It has been shown that IPsec AH fails because the destination host detects the IP header changes and invalidates the packets. IPsec ESP failed in our testing because the NAT64 does not translate IPsec ESP (i.e., protocol 50) packets. It has been suggested that IPsec ESP would succeed if the IPsec client supports NAT traversal in the Internet Key Exchange Protocol (IKE) [RFC3947] and uses IPsec ESP over UDP [RFC3948].

I enabled the NAT-TRAVERSAL on both ends but still not working.

aleitonq avatar Jun 25 '20 21:06 aleitonq

Hey. Do you still have this problem?

But VPN IPSEC Phase 1 (ISAKMP) is not completed at all.

What's the symptom? Is it a packet drop? Or are the endpoints finding something fishy and canceling the transaction?

And if it's a packet drop, is it Jool doing it?

Jool 4.1.2 is now available in the Github mirror. It contains a debug feature that will tell you why Jool is dropping the packet if that's what happening.

To provide more assistance, I think I will need packet captures and/or debug output.

ydahhrk avatar Jul 24 '20 17:07 ydahhrk

Hey. Do you still have this problem?

But VPN IPSEC Phase 1 (ISAKMP) is not completed at all.

What's the symptom? Is it a packet drop? Or are the endpoints finding something fishy and canceling the transaction?

And if it's a packet drop, is it Jool doing it?

Jool 4.1.2 is now available in the Github mirror. It contains a debug feature that will tell you why Jool is dropping the packet if that's what happening.

To provide more assistance, I think I will need packet captures and/or debug output.

Hello, Yes I still have the problem.

aleitonq avatar Jul 24 '20 17:07 aleitonq

Hello, Yes I still have the problem.

Uhhh, OK but... was this just a status update? Are you planning to answer the other questions?

I think I will need packet captures and/or debug output.

Please don't forget this one.

ydahhrk avatar Jul 24 '20 18:07 ydahhrk