Remote Access VPN throught 464XLAT JOOL

[aleitonq]

Hello,

I have a full 464XLAT deployment using Jool (CLAT and PLAT). Everything is working so far, but I realized that remote access VPN has issues, phase 1 is not established. OpenVPN and SSL VPNs are working properly but IPSEC doesn't.

I am using Cisco ASA 5505 and VPN Access Manager Software as a client both have NAT-T enabled.

Has anyone ever establish a Remote Access VPN using this scenario.

[ydahhrk]

(Don't believe anything I say because my understanding of IPsec is very shallow.)

When you say "464XLAT" you mean your PLAT is a Stateful NAT64?

IPsec cannot be translated by a NAT64 for (likely) several reasons. One of them is that it encrypts the TCP/UDP headers the NAT64 needs to compute the state information. (It might work through dual SIITs as opposed to SIIT-NAT64, but don't quote me on it.)

That's the textbook answer. Check this out. It was written by someone much more knowledgeable than me.

[aleitonq]

Hello, thanks for your replay. Exactly I am using Stateless CLAT and Stateful PLAT (NAT64).

I have: LAN (DUAL STACK) -- WAN (DUAL STACK IPv6 / Private IPv4) ---- Jool CLAT (Private IPv4 Gateway ) --- Jool PLAT --- ASA 5505 (VPN PEER).

Communication between End Device and VPN Peer is working properly. But VPN IPSEC Phase 1 (ISAKMP) is not completed at all.

I am looking for some restriction between IPSEC and NAT64. I found in the RFC the following:

Different IPsec modes for VPN services have been tested, including
IPsec Authentication Header (AH) and IPsec Encapsulating Security
Payload (ESP). It has been shown that IPsec AH fails because the
destination host detects the IP header changes and invalidates the
packets. IPsec ESP failed in our testing because the NAT64 does not
translate IPsec ESP (i.e., protocol 50) packets. It has been
suggested that IPsec ESP would succeed if the IPsec client supports
NAT traversal in the Internet Key Exchange Protocol (IKE) [RFC3947]
and uses IPsec ESP over UDP [RFC3948].

I enabled the NAT-TRAVERSAL on both ends but still not working.

[ydahhrk]

Hey. Do you still have this problem?

But VPN IPSEC Phase 1 (ISAKMP) is not completed at all.

What's the symptom? Is it a packet drop? Or are the endpoints finding something fishy and canceling the transaction?

And if it's a packet drop, is it Jool doing it?

Jool 4.1.2 is now available in the Github mirror. It contains a debug feature that will tell you why Jool is dropping the packet if that's what happening.

To provide more assistance, I think I will need packet captures and/or debug output.

[aleitonq]

Hey. Do you still have this problem?

But VPN IPSEC Phase 1 (ISAKMP) is not completed at all.

What's the symptom? Is it a packet drop? Or are the endpoints finding something fishy and canceling the transaction?

And if it's a packet drop, is it Jool doing it?

Jool 4.1.2 is now available in the Github mirror. It contains a debug feature that will tell you why Jool is dropping the packet if that's what happening.

To provide more assistance, I think I will need packet captures and/or debug output.

Hello, Yes I still have the problem.

[ydahhrk]

Hello, Yes I still have the problem.

Uhhh, OK but... was this just a status update? Are you planning to answer the other questions?

I think I will need packet captures and/or debug output.

Please don't forget this one.