lately I have been testing more than one IPsec configuration and I’m not convinced by what is currently provided by Ubuntu/Debian and I now don’t think OpenSWAN to be the best solution available.
Actually I ran into the following issues while trying OpenSWAN and StrongSWAN as provided by Ubuntu 8.04 and 10.04:
- Ubuntu 8.04 LTS (openswan 2.4.9): client connections are dropped after 60 minutes (see http://lists.openswan.org/pipermail/users/2009-July/017098.html)
- Ubuntu 10.04 LTS (openswan 2.6.23): responses to L2TP requests are not encapsulated in IPsec; since the original L2TP request was encapsulated in IPsec any client located behind a NAT-device (ADSL router, internal company network et. al.) won’t be able to receive the response – the response will be dropped by the NAT-device (see http://bugs.xelerance.com/view.php?id=1004)
- Ubuntu 8.04 LTS (strongswan 4.1.9) and Ubuntu 10.04 LTS (strongswan 4.3.2): NAT-T support is not enabled in the binary; this is defined as “not safe” in the build script “debian/rules” which is more or less a bit of a headache, since everyone of us trying to use a mobile device from WIFI networks will at some point in time need support for this
While trying out different versions of OpenSWAN I stumbled from one issue (and bug) into the next. I finally decided to settle for StrongSWAN and followed Niels’ advice (see http://nielspeen.com/blog/2009/04/linux-l2tpipsec-with-iphone-and-mac-osx-clients/) on how to re-build a StrongSWAN package with NAT-T support.
Even though I’m no security expert, I believe it to be a bad choice by the original package maintainers not to include NAT-T support. It should be up to us sys-admins to decide whether or not we want to activate it. If you don’t compile support for it into the binary, you take the choice for this vital component (IMHO) away from us! Just put “nat_traversal=no” and a nice comment about it “possibly” not being safe into the package’s default configuration file!
PLEASE NOTICE: StrongSWAN’s NAT-T “possibly not being safe” does not refer to an implementation issue with this feature but to the specification itself!!
I guess not everyone has a mind to re-build the whole package, so I’ll provide pre-compiled StrongSWAN packages with activated NAT-T support for Ubuntu 8.04 LTS / 10.04 LTS.
Whatever you think about this short post – please drop me a note at firstname.lastname@example.org or otherwise simple use the yellow button at the right… 🙂