[Openswan dev] NAT-T problem with openswan
William Barsse
wbarsse at pfn.com
Tue Apr 6 17:30:58 CEST 2004
Hi all,
I ran into an issue that I haven't seen mentioned on the list when
using NATT. This was using an old version of super-freeswan but after
looking at the code in openswan it seems like it may have the same
problem.
Setup :
1 gateway behind a NAT device with at least 2 connections defined to
another.
Symptoms :
Only one of the two defined connections comes up, the other remains
uninitiated, however using "ipsec whack --initiate ..." brings it up
just fine.
Timeline :
1 - The first connection (A) is initiated
2 - A reaches MAIN_I3 and update_pending(connections.c) is called to
update the host_ports in A
3 - the second connection (B) is initiated and added to the pending
list for the host_pair it has in common
with A (add_pending in connections.c)
4 - A's MAIN_R3 is received and triggers a call to
ISAKMP_SA_established(connections.c) which detects
that B's that.host_port doesn't match A's (which was updated in
2), this triggers a call to release_connection
for B.
5 - A goes up, B is in limbo.
Potential fix :
in add_pending the following snippet of code should fix the behavior,
the idea is to copy the ports from another correctly resolved
connection in the same pending state :
/* after p->next = c->host_pair->pending */
if (p->next) {
c->this.host_port = p->next->connection->this.host_port;
c->that.host_port = p->next->connection->that.host_port;
}
Thoughts, comments, jeers ?
Cheers,
William
More information about the Dev
mailing list