[Openswan Users] Any known problems with NAT Traversal with Linux 2.4.26/2.6.7?

Herbert Xu herbert at gondor.apana.org.au
Thu Jul 22 14:31:22 CEST 2004 

On Thu, Jul 22, 2004 at 09:37:31AM +1000, herbert wrote:
> 
> I see the problem.  It looks like the client is sending this packet
> through the ESP tunnel (56 + 26 + 32 = 116).

Found it.  Looks like some of my changes for SFS were lost when
Openswan opened up.

Here is a patch to make Openswan do what my old SFS patches did.
It's against HEAD but should apply to 2.1.x as well.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
-------------- next part --------------
Index: programs/pluto/server.c
===================================================================
RCS file: /public/cvs/openswan-2/programs/pluto/server.c,v
retrieving revision 1.97
diff -u -r1.97 server.c
--- programs/pluto/server.c	2 Jun 2004 12:42:50 -0000	1.97
+++ programs/pluto/server.c	22 Jul 2004 03:34:50 -0000
@@ -523,6 +523,51 @@
     }
 #endif
 
+#if defined(linux) && defined(KERNEL26_SUPPORT)
+    if (!no_klips && kernel_ops->type == KERNEL_TYPE_LINUX)
+    {
+	struct sadb_x_policy policy;
+	int level, opt;
+
+	policy.sadb_x_policy_len = sizeof(policy) / IPSEC_PFKEYv2_ALIGN;
+	policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
+	policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
+	policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
+	policy.sadb_x_policy_reserved = 0;
+	policy.sadb_x_policy_id = 0;
+	policy.sadb_x_policy_reserved2 = 0;
+
+	if (addrtypeof(&ifp->addr) == AF_INET6)
+	{
+	    level = IPPROTO_IPV6;
+	    opt = IPV6_IPSEC_POLICY;
+	}
+	else
+	{
+	    level = IPPROTO_IP;
+	    opt = IP_IPSEC_POLICY;
+	}
+
+	if (setsockopt(fd, level, opt
+	  , &policy, sizeof(policy)) < 0)
+	{
+	    log_errno((e, "setsockopt IPSEC_POLICY in process_raw_ifaces()"));
+	    close(fd);
+	    return -1;
+	}
+
+	policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
+
+	if (setsockopt(fd, level, opt
+	  , &policy, sizeof(policy)) < 0)
+	{
+	    log_errno((e, "setsockopt IPSEC_POLICY in process_raw_ifaces()"));
+	    close(fd);
+	    return -1;
+	}
+    }
+#endif
+
     setportof(htons(port), &ifp->addr);
     if (bind(fd, sockaddrof(&ifp->addr), sockaddrlenof(&ifp->addr)) < 0)
     {
@@ -659,13 +704,10 @@
 		if (q == NULL)
 		{
 		    /* matches nothing -- create a new entry */
-		    int fd = socket(addrtypeof(&ifp->addr), SOCK_DGRAM, IPPROTO_UDP);
+		    int fd = create_socket(ifp, v->name, pluto_port);
 
 		    if (fd < 0)
-		    {
-			log_errno((e, "socket() in process_raw_ifaces()"));
 			break;
-		    }
 
 #ifdef NAT_TRAVERSAL
 		    if (nat_traversal_support_non_ike)
@@ -673,96 +715,6 @@
 			nat_traversal_espinudp_socket(fd, ESPINUDP_WITH_NON_IKE);
 		    }
 #endif
-		    if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1)
-		    {
-			log_errno((e, "fcntl(,, FD_CLOEXEC) in process_raw_ifaces()"));
-			break;
-		    }
-
-		    if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR
-		    , (const void *)&on, sizeof(on)) < 0)
-		    {
-			log_errno((e, "setsockopt SO_REUSEADDR in process_raw_ifaces()"));
-			break;
-		    }
-
-		    /* To improve error reporting.  See ip(7). */
-#if defined(IP_RECVERR) && defined(MSG_ERRQUEUE)
-		    if (setsockopt(fd, SOL_IP, IP_RECVERR
-		    , (const void *)&on, sizeof(on)) < 0)
-		    {
-			log_errno((e, "setsockopt IP_RECVERR in process_raw_ifaces()"));
-			break;
-		    }
-#endif
-
-		    /* With IPv6, there is no fragmentation after
-		     * it leaves our interface.  PMTU discovery
-		     * is mandatory but doesn't work well with IKE (why?).
-		     * So we must set the IPV6_USE_MIN_MTU option.
-		     * See draft-ietf-ipngwg-rfc2292bis-01.txt 11.1
-		     */
-#ifdef IPV6_USE_MIN_MTU	/* YUCK: not always defined */
-		    if (addrtypeof(&ifp->addr) == AF_INET6
-		    && setsockopt(fd, SOL_SOCKET, IPV6_USE_MIN_MTU
-		      , (const void *)&on, sizeof(on)) < 0)
-		    {
-			log_errno((e, "setsockopt IPV6_USE_MIN_MTU in process_raw_ifaces()"));
-			break;
-		    }
-#endif
-
-#if defined(linux) && defined(KERNEL26_SUPPORT)
-		    if (!no_klips && kernel_ops->type == KERNEL_TYPE_LINUX)
-		    {
-			struct sadb_x_policy policy;
-			int level, opt;
-
-			policy.sadb_x_policy_len = sizeof(policy) / IPSEC_PFKEYv2_ALIGN;
-			policy.sadb_x_policy_exttype = SADB_X_EXT_POLICY;
-			policy.sadb_x_policy_type = IPSEC_POLICY_BYPASS;
-			policy.sadb_x_policy_dir = IPSEC_DIR_INBOUND;
-			policy.sadb_x_policy_reserved = 0;
-			policy.sadb_x_policy_id = 0;
-			policy.sadb_x_policy_reserved2 = 0;
-
-			if (addrtypeof(&ifp->addr) == AF_INET6)
-			{
-			    level = IPPROTO_IPV6;
-			    opt = IPV6_IPSEC_POLICY;
-			}
-			else
-			{
-			    level = IPPROTO_IP;
-			    opt = IP_IPSEC_POLICY;
-			}
-
-			if (setsockopt(fd, level, opt
-			  , &policy, sizeof(policy)) < 0)
-			{
-			    log_errno((e, "setsockopt IPSEC_POLICY in process_raw_ifaces()"));
-			    break;
-			}
-
-			policy.sadb_x_policy_dir = IPSEC_DIR_OUTBOUND;
-
-			if (setsockopt(fd, level, opt
-			  , &policy, sizeof(policy)) < 0)
-			{
-			    log_errno((e, "setsockopt IPSEC_POLICY in process_raw_ifaces()"));
-			    break;
-			}
-		    }
-#endif
-
-		    setportof(htons(pluto_port), &ifp->addr);
-		    if (bind(fd, sockaddrof(&ifp->addr), sockaddrlenof(&ifp->addr)) < 0)
-		    {
-			log_errno((e, "bind() for %s/%s %s:%u in process_raw_ifaces()"
-			    , ifp->name, v->name
-			    , ip_str(&ifp->addr), (unsigned) pluto_port));
-			break;
-		    }
 
 		    q = alloc_thing(struct iface, "struct iface");
 		    q->rname = clone_str(ifp->name, "real device name");

More information about the Users mailing list