[Openswan dev] NAT-T in the face of changing IPs

Michael Richardson mcr at xelerance.com
Thu Jul 26 14:44:34 EDT 2007

Hash: SHA1

>>>>> "Michael" == Michael Richardson <mcr at sandelman.ca> writes:
    Michael> Tero Kivinen wrote:
    >>> I.e. a different UDP port.  Apparently, this is a problem for openswan.
    >> I guess you mean to say different IP-address, not port. The port is of
    >> course different as it is behind NAT.

    Michael> Yes, that's what I meant.

    >>> Was this a case that I just didn't code for, or is this a gap in the
    >>> specification? 
    >> NAT-T specs do say that it can come from different IP-address. It even
    >> specifies that the IP address can change on the fly.

    Michael> Yes, I just didn't expect it to change until after the phase 1 was 
    Michael> complete. I.e that it would change later on.

    Michael> I agree that this behaviour is acceptable. I think I'll have code tested 
    Michael> soon for this tonight.

  Test case nat-pluto-07 (will be in 2.5.15) simulates the experience I
had in the hotel. Once it passed, I upgraded two of my machines, one a
2.6 (XenU), and the other a 2.4.31 machine to 2.5.15-prerelease and they
seemed to work.

  Of course, the IETF hotel network was much less busy, and it didn't do
different NAT mappings for me at 4am when I tested, so couldn't be sure
it worked in real life. But the test case definitely failed the way I
expected until I fixed various things.

  Likely most of the changes in nat_traversal.c will port back to 2.4
easily, if someone needs that. I'm frankly surprised we have never run
into this in the wild before. Probably, people have, but didn't know why
their phase 1 didn't complete.

  The hotel uses a "Nomadix", which is linux 2.4 kernel based, AFAIK.

- -- 
]            Bear: "Me, I'm just the shape of a bear."          |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr at xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Finger me for keys


More information about the Dev mailing list