[Openswan dev] patch for pfs (really nat aggressive mode) issue

Paul Wouters paul at xelerance.com
Fri Mar 10 19:04:02 CET 2006

I'll write up a test case and then look at this patch, and the one in
teh bugracker at #231, and resolve this before we release 2.4.5.


---------- Forwarded message ----------
Date: Fri, 10 Mar 2006 16:51:37 +0000
From: Brian Candler <B.Candler at pobox.com>
To: users at openswan.org
Subject: Re: [Openswan Users]

(Sorry to reply to myself again :-)

On Fri, Mar 10, 2006 at 03:35:18PM +0000, Brian Candler wrote:
> If I run tcpdump on the openswan box's own interface, I see some packets
> with {src 500, dst 4500} and others with {src 4500, dst 4500}. As far as I
> can tell, the 500/4500 ones are IKE, and 4500/4500 are payload (i.e. test
> pings)
> Is this correct, or is openswan messing up here?? Since there are two
> different source ports, of course these get mapped to two different ones via
> the intervening NAT.

Turning on natt debugging in openswan, I also see:

Jan  2 01:34:46 (none) kern.debug pluto[9211]: | processing connection pix
Jan  2 01:34:46 (none) kern.debug pluto[9211]: | NAT-T: updating local port to 500
Jan  2 01:34:46 (none) kern.debug pluto[9211]: | NAT-T connection has wrong interface definition vs
Jan  2 01:34:46 (none) kern.debug pluto[9211]: | NAT-T: using interface vlan1:500
Jan  2 01:34:46 (none) kern.warn pluto[9211]: "pix" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x29cf73ce <0x51a72e7e xfrm=3DES_0-HMAC_MD5 NATD=none DPD=none}

And doing some more searching, I find someone else has reported this problem
already at http://archives.free.net.ph/message/20051207.122311.bc3b76ca.en.html
and even provided a patch:

--- nat_traversal.c.orig        2006-03-10 15:56:20.000000000 +0000
+++ nat_traversal.c     2006-03-10 15:56:38.000000000 +0000
@@ -806,7 +806,8 @@
         * need to change port (MAIN_I3 or QUICK_I1)
        if (((st->st_state == STATE_MAIN_I3)
-            || (st->st_state == STATE_QUICK_I1))
+            || (st->st_state == STATE_AGGR_I2))
            && (st->hidden_variables.st_nat_traversal & NAT_T_WITH_PORT_FLOATING)
            && (st->hidden_variables.st_nat_traversal & NAT_T_DETECTED)
            && (st->st_localport != NAT_T_IKE_FLOAT_PORT))

And now it works, phew :-) [as long as I stick with PFS]

I see this bug is already in the ticket system:

Any chance of getting this or something equivalent into 2.4.5?



P.S. IPSEC over GPRS is pretty painful :-)

$ ping
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=126 time=811.480 ms
64 bytes from icmp_seq=1 ttl=126 time=648.593 ms
64 bytes from icmp_seq=3 ttl=126 time=959.966 ms
64 bytes from icmp_seq=4 ttl=126 time=847.839 ms
Users at openswan.org
Building and Integrating Virtual Private Networks with Openswan:

More information about the Dev mailing list