[Openswan Users] winxp behind on server behind nat patch

Bernd Galonska B.Galonska at fhr.de
Thu Mar 24 14:31:45 CET 2005 

I have tested sam cenarions with openswan-2.3.1dr3

> after this you will get the errore  message on windows side because
windows can not hadel > the Nat-OA payload  in the  respons to quickmode

with updatet win2k and winxp and openswan-2.3.1dr3  windows can handel
Nat-OA respons in quickmod. !!


maybe the problems are solved by microsoft or the proplem wars the
ipseciplementation I used in my first tests (strongswan-2.3.2).

so you ned only to keep the conection on live (part one of the patch).
I hav modifid the patch in this way. And now I agan conform wiht the RFC:



Schnipp---------------------------------------------------------------------
----------------

--- openswan-2.3.1dr3/programs/pluto/ipsec_doi.c	2005-02-11
15:18:08.000000000 +0000
+++ openswan-2.3.1dr3/programs/pluto/ipsec_doi.c	2005-03-01
15:07:46.219586776 +0000
@@ -5958,6 +5958,17 @@
 	struct connection *p = find_client_connection(c
 	    , our_net, his_net, b->my.proto, b->my.port, b->his.proto,
b->his.port);

+#ifdef NAT_TRAVERSAL
+  #ifdef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
+    if( (p1st->hidden_variables.st_nat_traversal & NAT_T_DETECTED)
+    	&& !(p1st->st_policy & POLICY_TUNNEL)
+    	&& (p1st->hidden_variables.st_nat_traversal  &
LELEM(NAT_TRAVERSAL_NAT_BHND_ME))
+	&& (p == NULL) )
+        {
+          p = c;
+        }
+  #endif
+#endif
 	if (p == NULL)
 	{
 	    /* This message occurs in very puzzling circumstances


Schnap----------------------------------------------------------------------
------------------------

if you use suselinux wiht susefirewall you have to setup same rules to
enable transportmod the default rules only work with tunnelmod.
  in /etc/sysconfig/SuSEfirewall2 you need
  * FW_SERVICES_EXT_UDP="isakmp  4500"
  * FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
  in /etc/sysconfig/scripts/SuSEfirewall2-custom
  * fill in the rule
	iptables -t mangle -A INPUT -p udp -m udp --sport 4500 --dport 4500 -j
MARK --se
t-mark 0x1701d

More information about the Users mailing list