Hi,
I'm having trouble with an IPSec VPN connection between a NAT'd Linux client (ipsec-tools 0.7.1, kernel 2.6.22.19) and a NetScreen 5GT (firmware 5.0.0r6.e).
The client and the firewall negotiate a connection and I can see packets being encrypted and decrypted at the client end. At the firewall end, the packets from the internal network are encrypted properly and sent on to the client, however, the ESP/UDP packets from the client seem to be rejected rather than decrypted.
When the client's packets hit the firewall external interface a packet is generated in the other direction that Wireshark doesn't seem to the able to decode properly:
User Datagram Protocol, Src Port: isakmp (500), Dst Port: isakmp (500)
Source port: isakmp (500)
Destination port: isakmp (500)
Length: 148
Checksum: 0x0000 (none)
Good Checksum: False
Bad Checksum: False
UDP Encapsulation of IPsec Packets
Non-ESP Marker
Internet Security Association and Key Management Protocol
Initiator cookie: 000000000316DC43
Responder cookie: 000000145BB1114D
Next payload: UNKNOWN-ISAKMP-VERSION (2)
Version: 8.7
Exchange type: UNKNOWN-ISAKMP-VERSION (246)
Flags: 0x33
Message ID: 0xc4dbd891
Length: 1549818119
Encrypted payload (1549818091 bytes)
I have the NetScreen configured for a policy based VPN with the follow settings:
Remote ID: Dialup user
Mode: Aggressive
NAT-T: enabled
Phase 1: pre-g2-aes128-sha
Phase 2: nopfs-esp-aes128-sha
If I disable the NAT on the client side (i.e. give it a public IP), the VPN comes up without NAT-T and the traffic flows correctly in both directions without any change to the configuration.
Can anyone help?
Thanks,
Gordon.