[Openswan dev] Re: [PATCH] Openswan and OS X with NAT-T

Peter Van der Beken peterv at propagandism.org
Thu Feb 16 00:08:24 CET 2006 

There's some news on the OS X front: 10.4.5 now supports RFC 3947 NAT 
traversal out of the box. 10.4.4 claimed to support it, but it still 
inverted the hashes for local side and remote side.

I'm using the attached patch with Openswan 2.4.4 and have been 
successfully connecting to it, with certificates, from two OS X 10.4.5 
boxes, one behind a NAT and one directly connected. I don't have older 
versions of OS X anymore so can't test with those.

The first chunk is needed because nat_traversal_show_result contains 
this code:

	case LELEM(NAT_TRAVERSAL_OSX):
	    mth = natt_type_bitnames[2];
	    break;
	case LELEM(NAT_TRAVERSAL_RFC):
	    mth = natt_type_bitnames[3];
	    break;

The second chunk is already in 2.4.5 I think.

The third chunk makes Openswan prefer the RFC method on 10.4.4 (because 
after patching VID_NATT_RFC > VID_NATT_DRAFT_IETF_IPSEC_NAT_T_IKE).

Hope that helps,

Peter
-------------- next part --------------
diff -ru openswan-2.4.4.orig/lib/libopenswan/constants.c openswan-2.4.4/lib/libopenswan/constants.c
--- openswan-2.4.4.orig/lib/libopenswan/constants.c	2005-06-23 03:45:55.000000000 +0200
+++ openswan-2.4.4/lib/libopenswan/constants.c	2006-02-15 23:20:50.000000000 +0100
@@ -916,9 +916,9 @@
 const char *const natt_type_bitnames[] = {
   "draft-ietf-ipsec-nat-t-ike-00/01",    /* 0 */
   "draft-ietf-ipsec-nat-t-ike-02/03",
+  "draft-ietf-ipsec-nat-t-ike (OS X)",
   "RFC 3947 (NAT-Traversal)",
-  "3",                                   /* 3 */
-  "4",   "5",   "6",   "7", 
+  "4",   "5",   "6",   "7",              /* 4 */
   "8",   "9",   "10",  "11",
   "12",  "13",  "14",  "15",
   "16",  "17",  "18",  "19", 
diff -ru openswan-2.4.4.orig/programs/pluto/nat_traversal.c openswan-2.4.4/programs/pluto/nat_traversal.c
--- openswan-2.4.4.orig/programs/pluto/nat_traversal.c	2005-09-27 06:30:20.000000000 +0200
+++ openswan-2.4.4/programs/pluto/nat_traversal.c	2006-02-15 23:17:04.000000000 +0100
@@ -378,7 +378,7 @@
 		       , st->st_icookie
 		       , is_zero_cookie(st->st_rcookie) ? md->hdr.isa_rcookie : st->st_rcookie
 		       , &(md->iface->ip_addr)
-		       , ntohs(st->st_remoteport));
+		       , ntohs(md->iface->port));
 	}
 	return (out_generic_raw(np, &isakmp_nat_d, outs,
 		hash, st->st_oakley.hasher->hash_digest_len, "NAT-D"));
diff -ru openswan-2.4.4.orig/programs/pluto/vendor.h openswan-2.4.4/programs/pluto/vendor.h
--- openswan-2.4.4.orig/programs/pluto/vendor.h	2005-07-26 04:05:10.000000000 +0200
+++ openswan-2.4.4/programs/pluto/vendor.h	2006-02-15 22:32:13.000000000 +0100
@@ -68,8 +68,8 @@
   VID_NATT_IETF_02_N         =106,
   VID_NATT_IETF_02           =107,
   VID_NATT_IETF_03           =108,
-  VID_NATT_RFC               =109,
-  VID_NATT_DRAFT_IETF_IPSEC_NAT_T_IKE	=110,
+  VID_NATT_DRAFT_IETF_IPSEC_NAT_T_IKE	=109,
+  VID_NATT_RFC               =110,
 
 /* 
   While searching (strings) in /usr/sbin/racoon on Max OS X 10.3.3, I found it :

More information about the Dev mailing list