[Openswan Users] Forcing udp-encaps when not on a NAT'd connection?

Nate Carlson natecars at natecarlson.com
Thu Jun 10 13:26:44 CEST 2004 

On Thu, 10 Jun 2004, Mathieu Lafon wrote:
> Yes, you need to enable it on at least one gateway and they will both
> think that there is NAT between them and enable ESPinUDP.

Very cool! I'll have to give that a shot.

> Doing it on a per-connection basis is not very difficult.

I took a look at the code, and it's certainly beyond my skills to add it
for per-connection (I never claim to be a C programmer).. it looks like it
certainly wouldn't be too difficult to enable as a global at least (maybe
add a nat_traversal=force option that enables FORCE_NAT_TRAVERSAL).
Per-connection would be the ideal, of course.

I did decide to see if I could hack it up to work globally
(nat_traversal=force option), and came up with the attached patch - note
that I am not a C programmer, so this could very well break things. It
seems to work for me; if I set it to force, however, I can't connect to
one of my VPN hosts for some reason - the rest work fine.

------------------------------------------------------------------------
| nate carlson | natecars at natecarlson.com | http://www.natecarlson.com |
|       depriving some poor village of its idiot since 1981            |
------------------------------------------------------------------------
-------------- next part --------------
diff -Naur openswan-2/programs/_plutorun/_plutorun.in openswan-2.nate/programs/_plutorun/_plutorun.in
--- openswan-2/programs/_plutorun/_plutorun.in	2003-12-24 13:47:13.000000000 -0600
+++ openswan-2.nate/programs/_plutorun/_plutorun.in	2004-06-10 12:24:07.000000000 -0500
@@ -91,8 +91,9 @@
 esac
 case "$nat_traversal" in
 yes)  popts="$popts --nat_traversal"  ;;
+force)  popts="$popts --nat_traversal --nat_traversal_force" ;;
 no|'')                ;;
-*)    echo "unknown nat_traversal value (not yes/no) \`$IPSECnat_traversal'" ;;
+*)    echo "unknown nat_traversal value (not yes/no/force) \`$IPSECnat_traversal'" ;;
 esac
 [ -n "$keep_alive" ] && popts="$popts --keep_alive $keep_alive"
 case "$force_keepalive" in
diff -Naur openswan-2/programs/pluto/nat_traversal.c openswan-2.nate/programs/pluto/nat_traversal.c
--- openswan-2/programs/pluto/nat_traversal.c	2004-06-01 09:42:36.000000000 -0500
+++ openswan-2.nate/programs/pluto/nat_traversal.c	2004-06-10 12:24:25.000000000 -0500
@@ -60,7 +60,6 @@
 
 #include "nat_traversal.h"
 
-/* #define FORCE_NAT_TRAVERSAL */
 #define NAT_D_DEBUG
 #define NAT_T_SUPPORT_LAST_DRAFTS
 
@@ -86,11 +85,15 @@
 static unsigned int _kap = 0;
 static unsigned int _ka_evt = 0;
 static bool _force_ka = 0;
+static bool _force_natt = 0;
+
+unsigned int sender_port = 0;
+unsigned int this_host_port = 0;
 
 static const char *natt_version = "0.6c";
 
 void init_nat_traversal (bool activate, unsigned int keep_alive_period,
-	bool fka, bool spf)
+	bool fka, bool spf, bool forcenatt)
 {
 	nat_traversal_enabled = activate;
 	nat_traversal_support_non_ike = activate;
@@ -98,10 +101,12 @@
 	nat_traversal_support_port_floating = activate ? spf : FALSE;
 #endif
 	_force_ka = fka;
+	_force_natt = forcenatt;
 	_kap = keep_alive_period ? keep_alive_period : DEFAULT_KEEP_ALIVE_PERIOD;
-	plog("  including NAT-Traversal patch (Version %s)%s%s%s",
+	plog("  including NAT-Traversal patch (Version %s)%s%s%s%s",
 		natt_version, activate ? "" : " [disabled]",
 		activate & fka ? " [Force KeepAlive]" : "",
+		activate & forcenatt ? " [Force NAT Traversal]" : "",
 		activate & !spf ? " [Port Floating disabled]" : "");
 }
 
@@ -280,10 +285,10 @@
 #endif
 		st->nat_traversal |= LELEM(NAT_TRAVERSAL_NAT_BHND_PEER);
 	}
-#ifdef FORCE_NAT_TRAVERSAL
-	st->nat_traversal |= LELEM(NAT_TRAVERSAL_NAT_BHND_PEER);
-	st->nat_traversal |= LELEM(NAT_TRAVERSAL_NAT_BHND_ME);
-#endif
+	if (_force_natt) {
+		st->nat_traversal |= LELEM(NAT_TRAVERSAL_NAT_BHND_PEER);
+		st->nat_traversal |= LELEM(NAT_TRAVERSAL_NAT_BHND_ME);
+	}
 }
 
 bool nat_traversal_add_natd(u_int8_t np, pb_stream *outs,
@@ -308,15 +313,15 @@
 	/**
 	 * First one with sender IP & port
 	 */
+	if (_force_natt) {
+		sender_port = 0;
+	} else {
+		sender_port = ntohs(md->sender_port);
+	}
 	_natd_hash(st->st_oakley.hasher, hash, st->st_icookie,
 		is_zero_cookie(st->st_rcookie) ? md->hdr.isa_rcookie : st->st_rcookie,
 		&(md->sender),
-#ifdef FORCE_NAT_TRAVERSAL
-		0
-#else
-		ntohs(md->sender_port)
-#endif
-	);
+		sender_port);
 	if (!out_generic_raw((st->nat_traversal & NAT_T_WITH_RFC_VALUES
 		? ISAKMP_NEXT_NATD_RFC : ISAKMP_NEXT_NATD_DRAFTS), &isakmp_nat_d, outs,
 		hash, st->st_oakley.hasher->hash_digest_len, "NAT-D")) {
@@ -326,15 +331,15 @@
 	/**
 	 * Second one with my IP & port
 	 */
+	if (_force_natt) {
+		this_host_port = 0;
+	} else {
+		this_host_port = ntohs(st->st_connection->spd.this.host_port);
+	}
 	_natd_hash(st->st_oakley.hasher, hash, st->st_icookie,
 		is_zero_cookie(st->st_rcookie) ? md->hdr.isa_rcookie : st->st_rcookie,
 		&(md->iface->addr),
-#ifdef FORCE_NAT_TRAVERSAL
-		0
-#else
-		ntohs(st->st_connection->spd.this.host_port)
-#endif
-	);
+		this_host_port);
 	return (out_generic_raw(np, &isakmp_nat_d, outs,
 		hash, st->st_oakley.hasher->hash_digest_len, "NAT-D"));
 }
diff -Naur openswan-2/programs/pluto/plutomain.c openswan-2.nate/programs/pluto/plutomain.c
--- openswan-2/programs/pluto/plutomain.c	2004-03-20 23:23:34.000000000 -0600
+++ openswan-2.nate/programs/pluto/plutomain.c	2004-06-10 12:24:22.000000000 -0500
@@ -131,6 +131,7 @@
 	    "[--nat_traversal] [--keep_alive <delay_sec>]"
 	    " \\\n\t"
 	        "[--force_keepalive] [--disable_port_floating]"
+	    " [--nat_traversal_force]"
 #endif
 #ifdef VIRTUAL_IP
 	   " \\\n\t"
@@ -221,6 +222,7 @@
     bool nat_t_spf = TRUE;  /* support port floating */
     unsigned int keep_alive = 0;
     bool force_keepalive = FALSE;
+    bool force_nat_traversal = FALSE;
 #endif
 #ifdef VIRTUAL_IP
     char *virtual_private = NULL;
@@ -267,6 +269,9 @@
 #ifdef VIRTUAL_IP
 	    { "virtual_private", required_argument, NULL, '6' },
 #endif
+#ifdef NAT_TRAVERSAL
+	    { "nat_traversal_force", no_argument, NULL, '7' },
+#endif
 #ifdef DEBUG
 	    { "debug-none", no_argument, NULL, 'N' },
 	    { "debug-all]", no_argument, NULL, 'A' },
@@ -462,6 +467,11 @@
 	    virtual_private = optarg;
 	    continue;
 #endif
+#ifdef NAT_TRAVERSAL
+	case '7':	/* --nat_traversal_force */
+	    force_nat_traversal = TRUE;
+	    continue;
+#endif
 
 	default:
 #ifdef DEBUG
@@ -614,7 +624,7 @@
     }
 
 #ifdef NAT_TRAVERSAL
-    init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf);
+    init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf, force_nat_traversal);
 #endif
 
 #ifdef VIRTUAL_IP

More information about the Users mailing list