IPSec through a DSL modem

My modem (actiontec gt701-wg) claims to do "pass-through for IPSec"[1].
I'm not sure what to make of that claim.

I've seen tidbits on google groups that NAT-T and these modem
"pass-through" schemes don't mix, but there doesn't seem to be any way
to turn off the passthrough on this modem. I've tried racoon with nat
traversal turned on, and off, and always I get the same results.

2004-05-23 16:28:51: INFO: 172.17.0.3[500] used as isakmp port (fd=6)
2004-05-23 16:28:51: INFO: 127.0.0.1[500] used as isakmp port (fd=7)
2004-05-23 16:28:52: INFO: IPsec-SA request for 12.30.196.35 queued due
to no phase1 found.
2004-05-23 16:28:52: INFO: initiate new phase 1 negotiation:
172.17.0.3[500]<=>12.30.196.35[500]
2004-05-23 16:28:52: INFO: begin Aggressive mode.
2004-05-23 16:28:52: NOTIFY: couldn't find the proper pskey, try to get
one by the peer's address.
2004-05-23 16:28:52: INFO: ISAKMP-SA established
172.17.0.3[500]-12.30.196.35[500] spi:757b6e3418050890:b6f3686b34b200f8
2004-05-23 16:28:53: INFO: initiate new phase 2 negotiation:
172.17.0.3[0]<=>12.30.196.35[0]
2004-05-23 16:29:23: INFO: IPsec-SA expired: ESP/Tunnel
12.30.196.35->172.17.0.3 spi=210277140(0xc889314)
2004-05-23 16:29:23: WARNING: the expire message is received but the
handler has not been established.
2004-05-23 16:29:23: ERROR: 12.30.196.35 give up to get IPsec-SA due to
time up to wait.

tcpdump output

16:28:52.113679 172.17.0.3.isakmp > attinet.wencor.com.isakmp: isakmp:
phase 1 I agg: [|sa] (DF)
16:28:52.217726 attinet.wencor.com.isakmp > 172.17.0.3.isakmp: isakmp:
phase 1 R agg: [|sa]
16:28:52.228355 172.17.0.3.isakmp > attinet.wencor.com.isakmp: isakmp:
phase 1 I agg:
(hash: len=20) (DF)
16:28:52.228535 172.17.0.3.isakmp > attinet.wencor.com.isakmp: isakmp:
phase 2/others I inf[E]: [encrypted hash] (DF)
16:28:53.232673 172.17.0.3.isakmp > attinet.wencor.com.isakmp: isakmp:
phase 2/others I oakley-quick[E]: [encrypted hash] (DF)
16:29:03.230254 172.17.0.3.isakmp > attinet.wencor.com.isakmp: isakmp:
phase 2/others I oakley-quick[E]: [encrypted hash] (DF)
16:29:13.228432 172.17.0.3.isakmp > attinet.wencor.com.isakmp: isakmp:
phase 2/others I oakley-quick[E]: [encrypted hash] (DF)

The remote device is a netscreen ns25 device; I've tried it with nat-t
enabled and disabled, as well as udp checksums enabled and disabled with
nat-t.

If passthru is really messing with nat-t and I can't turn it off, then
how does one go about setting things up to work with this supposed
pass-through? Here are the interesting parts of the config files.

remote anonymous {
exchange_mode aggressive;
my_identifier user_fqdn "(E-Mail Removed)";
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group modp1024;
}
generate_policy off;
nat_traversal off; # have tried on as well
}

sainfo anonymous {
pfs_group modp768;
encryption_algorithm 3des;
authentication_algorithm hmac_md5;
compression_algorithm deflate;
}

/etc/ipsec.conf
....
spdadd 0.0.0.0/0 172.16.0.0/16 any -P out ipsec
esp/tunnel/172.17.0.3-12.30.196.35/require;
spdadd 172.16.0.0/16 0.0.0.0/0 any -P in ipsec
esp/tunnel/12.30.196.35-172.17.0.3/require;


1. http://www.qwest.com/internet/dslhelp/faqs.html


Hans Fugal