[Openswan dev] Openswan NAT-T broken on 2.6.8-rc1 and later (by udp.c changes perhaps)

Robert Hardy rhardy at webcon.ca
Fri Aug 6 02:07:27 CEST 2004 

NAT traversal seems to have been broken by changes to UDP encapsulation
changes in somewhere in the range of 2.6.8-rc1 to rc3. My guess is 2.6.8-rc1
as Fedora kernels are affected and their patches stopped around 2.6.8-rc1-bk
something. 2.6.7 still works properly.

If anyone could tell me what is causing this (or even how to fix it) it
would be very much appreciated.

I'm working with Openswan-2.2.0dr3 and Linux 2.6.8-rc3 btw.

The problem seems to be in this function from nat_traversal.c:

int nat_traversal_espinudp_socket (int sk, u_int32_t type)
{
         int r;
         r = setsockopt(sk, SOL_UDP, UDP_ESPINUDP, &type, sizeof(type));
         if ((r<0) && (errno == ENOPROTOOPT)) {
                 loglog(RC_LOG_SERIOUS,
                         "NAT-Traversal: ESPINUDP(%d) not supported by kernel -- "
                         "NAT-T disabled (r=%d)", type, r);
                 disable_nat_traversal(type);
[...]

The setsockopt line seems to have be given the valid arguments the 2nd time
it is called on localhost (in kernels 2.6.8-rc1-x and later only) setsockopt
decides to return -1 and (errno == ENOPROTOOPT) which triggers the code to
disable_nat_traversal.

I've been trying to debug this with kenb's help from #openswan on freenode
but I've met with limited success so I'm hoping you will have some idea what
is broken.

I've checked the various constants such as UDP_ENCAP and they still seem
correct. I've added printk calls into the kernel's udp_setsockopt and
udp_getsockopt to see what is happening.

I've checked udp.h it didn't change in that kernel range. For references
sake I've also attached the bzip2ed results of this command: 
diff -urN linux-2.6.6/net/ipv4/udp.c linux-2.6.8-rc3/net/ipv4/udp.c

Oddly enough the code seems to fail when dealing with interface lo/lo ::1.

Please find at the end of this message a censored log showing the problem.

Please use this legend when reading my RHDEBUG lines below:
  optname=100=UDP_ENCAP, val=1=UDP_ENCAP_ESPINUDP_NON_IKE,
  val=2=UDP_ENCAP_ESPINUDP

Aug  5 23:46:00 hosta ipsec__plutorun: Starting Pluto subsystem...
Aug  5 23:46:00 hosta pluto[5989]: Starting Pluto (Openswan Version 2.2.0dr3 X.509-1.5.4 PLUTO_USES_KEYRR)
Aug  5 23:46:00 hosta pluto[5989]:   including NAT-Traversal patch (Version 0.6c)
Aug  5 23:46:00 hosta pluto[5989]: | inserting event EVENT_REINIT_SECRET, timeout in 3600 seconds
Aug  5 23:46:00 hosta pluto[5989]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Aug  5 23:46:00 hosta pluto[5989]: Using Linux 2.6 IPsec interface code
Aug  5 23:46:00 hosta ipsec_setup: ...Openswan IPsec started
Aug  5 23:46:00 hosta ipsec_setup: Starting Openswan IPsec U2.2.0dr3/K2.6.8-rc3...
[ ...... ]
Aug  5 23:46:00 hosta pluto[5989]: | alg_info_addref() alg_info->ref_cnt=2
Aug  5 23:46:00 hosta pluto[5989]: | *received whack message
Aug  5 23:46:00 hosta pluto[5989]: listening for IKE messages
Aug  5 23:46:00 hosta pluto[5989]: | found lo with address 127.0.0.1
Aug  5 23:46:00 hosta pluto[5989]: | found lo with address 10.0.0.1
Aug  5 23:46:00 hosta pluto[5989]: | found eth0 with address 172.16.0.4
Aug  5 23:46:00 hosta pluto[5989]: adding interface eth0/eth0 172.16.0.4
Aug  5 23:46:00 hosta pluto[5989]: calling nat_traversal_espinudp_socket ESPINUDP_WITH_NON_ESP=2
Aug  5 23:46:00 hosta pluto[5989]: adding interface eth0/eth0 172.16.0.4:4500
Aug  5 23:46:00 hosta pluto[5989]: adding interface lo/lo 10.0.0.1
Aug  5 23:46:00 hosta pluto[5989]: calling nat_traversal_espinudp_socket ESPINUDP_WITH_NON_ESP=2
Aug  5 23:46:00 hosta pluto[5989]: adding interface lo/lo 10.0.0.1:4500
Aug  5 23:46:00 hosta pluto[5989]: adding interface lo/lo 127.0.0.1
Aug  5 23:46:00 hosta kernel: RHDEBUG: udp_setsockopt: val=1 optname=100
Aug  5 23:46:00 hosta pluto[5989]: calling nat_traversal_espinudp_socket ESPINUDP_WITH_NON_ESP=2
Aug  5 23:46:00 hosta kernel: RHDEBUG: udp_setsockopt: val=2 optname=100
Aug  5 23:46:00 hosta pluto[5989]: adding interface lo/lo 127.0.0.1:4500
Aug  5 23:46:00 hosta kernel: RHDEBUG: udp_setsockopt: val=1 optname=100
Aug  5 23:46:00 hosta pluto[5989]: | found lo with address 0000:0000:0000:0000:0000:0000:0000:0001
Aug  5 23:46:00 hosta kernel: RHDEBUG: udp_setsockopt: val=2 optname=100
Aug  5 23:46:00 hosta pluto[5989]: NAT-Traversal: ESPINUDP(1) not supported by kernel -- NAT-T disabled (r=-1)
Aug  5 23:46:00 hosta kernel: RHDEBUG: udp_setsockopt: val=1 optname=100
Aug  5 23:46:00 hosta pluto[5989]: adding interface lo/lo ::1
Aug  5 23:46:00 hosta kernel: RHDEBUG: udp_setsockopt: val=2 optname=100
Aug  5 23:46:00 hosta pluto[5989]: calling nat_traversal_espinudp_socket ESPINUDP_WITH_NON_ESP=2
Aug  5 23:46:00 hosta pluto[5989]: NAT-Traversal: ESPINUDP(2) not supported by kernel -- NAT-T disabled (r=-1)
Aug  5 23:46:00 hosta pluto[5989]: adding interface lo/lo ::1:4500
Aug  5 23:46:00 hosta pluto[5989]: loading secrets from "/etc/ipsec.secrets"
Aug  5 23:46:00 hosta pluto[5989]: | loaded private key for keyid: [....]
Aug  5 23:46:00 hosta pluto[5989]:   loaded private key file '/etc/ipsec.d/private/hosta-key.pem' ([....] bytes)
Aug  5 23:46:00 hosta pluto[5989]: | loaded private key for keyid: [....]
Aug  5 23:46:00 hosta pluto[5989]: | next event 11?? in 840 seconds
Aug  5 23:46:00 hosta ipsec__plutorun: 003 NAT-Traversal: ESPINUDP(1) not supported by kernel -- NAT-T disabled (r=-1)
Aug  5 23:46:00 hosta ipsec__plutorun: 003 NAT-Traversal: ESPINUDP(2) not supported by kernel -- NAT-T disabled (r=-1)
Aug  5 23:46:00 hosta pluto[5989]: | 
Aug  5 23:46:00 hosta pluto[5989]: | *received whack message
Aug  5 23:46:00 hosta pluto[5989]: | route owner of "hosta" unrouted: NULL; eroute owner: NULL
Aug  5 23:46:00 hosta pluto[5989]: | could_route called for hosta (kind=CK_PERMANENT)
[ ...... ]

Regards,
Rob

-- 
---------------------"Happiness is understanding."----------------------
Robert Hardy, B.Eng Computer Systems                  C.E.O. Webcon Inc.
rhardy <at> webcon <dot> ca    GPG Key available          (613) 276-7327
-------------- next part --------------
A non-text attachment was scrubbed...
Name: udp_c.diff.bz2
Type: application/x-bzip2
Size: 2779 bytes
Desc: 
Url : http://lists.openswan.org/pipermail/dev/attachments/20040806/45f2a88a/udp_c.diff.bin

More information about the Dev mailing list