[Openswan dev] Patch for NAT-T bug of WatchGuard's Firebox SOHO 6
Sergio de Souza Prallon
prallon at tmp.com.br
Sun Apr 24 23:08:38 CEST 2005
Hi,
This is a small interoperability patch for OpenSwan-1.0.9 to make it
accept connections from Fireboxes with broken firmware versions. The
problem shows up when the Firebox is behind a NAT device and tries to
connect to an OpenSwan server. At the ESP SA negotiation, it uses an
invalid code for the `Encapsulation Mode' Transform attribute making
OpenSwan refuse the connection. The code sent is `61433' decimal. I
believe it should be `61443' as it means `ESP over UDP encapsulation
as per IETF Draft', which makes sense at the above scenario.
The patch below makes Pluto accept the wrong code and treate it as if
it was the expected one. Using it, I was able to get the Firebox to
work in the previous situation. At least version 6.3.2 of the firmware
exhibits this behavior. The exact Firebox model name and number are
`Firebox SOHO 6tc' and `BF4S16E6'.
Hope this helps somebody else.
[]'s
--
Sergio de Souza Prallon
TMP Consultoria de Informatica S/C Ltda
-------------- next part --------------
diff -ur openswan-1.0.9/pluto/Makefile openswan-1.0.9-wg/pluto/Makefile
--- openswan-1.0.9/pluto/Makefile Wed Nov 24 11:43:25 2004
+++ openswan-1.0.9-wg/pluto/Makefile Thu Apr 21 15:35:46 2005
@@ -60,6 +60,13 @@
# us so that we can refine the threshold.
# -DAPPLY_CRISCO enabled DPD to work with broken cisco implementations
# instead of complain about the invalid icookie
+# -DWG_NAT_WORKAROUND makes Pluto accept the (otherwise invalid) value
+# of `61433' as if it was `61443' for the `Encapsulation Mode' of an
+# incoming `Transform Proposal'. Clearly a typo of the WatchGuard guys.
+# This patch enabled a SOHO6 Firebox to connect as a road-warrior to
+# an OpenSwan server while being NATed by the access provider. At
+# least version 6.3.2 of the firmware shows this bug.
+#
# The following are best left undefined -- each can be overridden at runtime
# if need be.
@@ -80,6 +87,7 @@
-DNAT_TRAVERSAL -DVIRTUAL_IP \
-DI_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT \
-DAPPLY_CRISCO \
+ -DWG_NAT_WORKAROUND \
-DDPD \
# -DMODECFG \
# -DLEAK_DETECTIVE
diff -ur openswan-1.0.9/pluto/constants.c openswan-1.0.9-wg/pluto/constants.c
--- openswan-1.0.9/pluto/constants.c Thu Jan 6 12:21:18 2005
+++ openswan-1.0.9-wg/pluto/constants.c Thu Apr 21 15:44:16 2005
@@ -567,6 +567,11 @@
};
#ifdef NAT_TRAVERSAL
+#ifdef WG_NAT_WORKAROUND
+static const char *const enc_wg_mode_name[] = {
+ "ENCAPSULATION_MODE_UDP_TUNNEL_WG_TYPO",
+ };
+#endif
static const char *const enc_udp_mode_name[] = {
"ENCAPSULATION_MODE_UDP_TUNNEL",
"ENCAPSULATION_MODE_UDP_TRANSPORT",
@@ -574,8 +579,15 @@
#endif
#ifdef NAT_TRAVERSAL
+#ifdef WG_NAT_WORKAROUND
+static enum_names enc_wg_mode_names =
+ { ENCAPSULATION_MODE_UDP_TUNNEL_WG_TYPO, ENCAPSULATION_MODE_UDP_TUNNEL_WG_TYPO, enc_wg_mode_name, NULL };
+static enum_names enc_udp_mode_names =
+ { ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS, ENCAPSULATION_MODE_UDP_TRANSPORT_DRAFTS, enc_udp_mode_name, &enc_wg_mode_names };
+#else
static enum_names enc_udp_mode_names =
{ ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS, ENCAPSULATION_MODE_UDP_TRANSPORT_DRAFTS, enc_udp_mode_name, NULL };
+#endif
enum_names enc_mode_names =
{ ENCAPSULATION_MODE_TUNNEL, ENCAPSULATION_MODE_UDP_TRANSPORT_RFC, enc_mode_name, &enc_udp_mode_names };
#else
diff -ur openswan-1.0.9/pluto/constants.h openswan-1.0.9-wg/pluto/constants.h
--- openswan-1.0.9/pluto/constants.h Thu Jan 6 12:21:18 2005
+++ openswan-1.0.9-wg/pluto/constants.h Thu Apr 21 15:37:52 2005
@@ -884,6 +884,9 @@
#define ENCAPSULATION_MODE_TRANSPORT 2
#ifdef NAT_TRAVERSAL
+#ifdef WG_NAT_WORKAROUND
+#define ENCAPSULATION_MODE_UDP_TUNNEL_WG_TYPO 61433
+#endif
#define ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS 61443
#define ENCAPSULATION_MODE_UDP_TRANSPORT_DRAFTS 61444
#define ENCAPSULATION_MODE_UDP_TUNNEL_RFC 3
diff -ur openswan-1.0.9/pluto/spdb.c openswan-1.0.9-wg/pluto/spdb.c
--- openswan-1.0.9/pluto/spdb.c Wed Mar 17 14:21:34 2004
+++ openswan-1.0.9-wg/pluto/spdb.c Thu Apr 21 15:44:32 2005
@@ -1712,6 +1712,14 @@
return FALSE;
break;
#endif
+#ifdef WG_NAT_WORKAROUND
+ case ENCAPSULATION_MODE_UDP_TUNNEL_WG_TYPO:
+ loglog(RC_COMMENT,
+ "WatchGuard encap bug detected."
+ " Working around it.");
+ val = ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS;
+ /*FALLTHRU*/
+#endif
case ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS:
if (st->nat_traversal & NAT_T_WITH_RFC_VALUES) {
loglog(RC_LOG_SERIOUS,
More information about the Dev
mailing list