[Openswan dev] Re: Openswan NAT-T broken on 2.6.8-rc1 and later (by udp.c changes perhaps)

Herbert Xu herbert at gondor.apana.org.au
Fri Aug 6 22:22:00 CEST 2004

On Fri, Aug 06, 2004 at 04:00:54PM +1000, herbert wrote:
> Then it tries to enable it with IPv6.  There is absolutely no support
> for ESPINUDP over IPv6 in Linux so it fails.
> Previous versions of Linux incorrectly reported success in this case.
> In fact, they reported success regardless of the value you pass to it.
> This was fixed recently.
> So openswan should be fixed to handle failure in the IPv6 case.  I'll
> see if I can whip a patch.

Here is a quick-and-dirty patch.  It puts us back in the situation
as when the kernel did not bother to check whether IPv6 NAT-T works.
Actually it's slightly different in that it doesn't create port 4500
for IPv6.

I'm working on a proper fix with per-interface flags on NAT-T support.
But that'll take longer so please apply this patch in the mean time in
order to restore NAT-T support under 26sec when IPv6 is enabled.

Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
-------------- next part --------------
Index: programs/pluto/server.c
RCS file: /public/cvs/openswan-2/programs/pluto/server.c,v
retrieving revision 1.98
diff -u -r1.98 server.c
--- programs/pluto/server.c	22 Jul 2004 14:14:59 -0000	1.98
+++ programs/pluto/server.c	6 Aug 2004 11:21:16 -0000
@@ -710,7 +710,8 @@
-		    if (nat_traversal_support_non_ike)
+		    if (nat_traversal_support_non_ike
+		    && addrtypeof(&ifp->addr) == AF_INET)
 			nat_traversal_espinudp_socket(fd, ESPINUDP_WITH_NON_IKE);
@@ -727,7 +728,9 @@
 		    openswan_log("adding interface %s/%s %s"
 			, q->vname, q->rname, ip_str(&q->addr));
-		    if (nat_traversal_support_port_floating) {
+		    if (nat_traversal_support_port_floating
+		    && addrtypeof(&ifp->addr) == AF_INET)
+		    {
 			fd = create_socket(ifp, v->name, NAT_T_IKE_FLOAT_PORT);
 			if (fd < 0)

More information about the Dev mailing list