[Openswan dev] Probable Broken NAT-T with latest FC2 kernel
(2.6.7-1.494.2.2)
Herbert Xu
herbert at gondor.apana.org.au
Mon Aug 9 13:11:10 CEST 2004
Ken Bantoft <ken at xelerance.com> wrote:
>
> NAT-T also appears broken in latest Fedora Core 2 kernel:
>
> 2.6.7-1.494.2.2
>
> Aug 8 19:37:51 kbantoft pluto[3154]: "kb-to-bp-38" #3: sent QI2, IPsec SA established {ESP=>0x489df436 <0xb7093be3 NATOA=0.0.0.0}
> Aug 8 19:38:16 kbantoft pluto[3154]: packet from ##.##.109.70:4500: recvfrom ##.##.109.70:4500 has no Non-ESP marker
> Aug 8 19:39:01 kbantoft last message repeated 14 times
This is probably the bug fixed by Bert Hubert. Please try the following
patch which is in 2.6.8-rc3.
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
--- linux-2.6.8-rc2/net/ipv4/udp.c~orig 2004-07-31 15:04:56.000000000 +0200
+++ linux-2.6.8-rc2/net/ipv4/udp.c 2004-07-31 15:05:19.000000000 +0200
@@ -975,7 +975,7 @@
} else
/* Must be an IKE packet.. pass it through */
return 1;
-
+ break;
case UDP_ENCAP_ESPINUDP_NON_IKE:
/* Check if this is a keepalive packet. If so, eat it. */
if (len == 1 && udpdata[0] == 0xff) {
@@ -988,6 +988,7 @@
} else
/* Must be an IKE packet.. pass it through */
return 1;
+ break;
}
/* At this point we are sure that this is an ESPinUDP packet,
More information about the Dev
mailing list