[Openswan Users] klips openswan2.4.0 +kernel 2.6.13.2 nat-t
failed
Delta Yeh
delta.yeh at gmail.com
Tue Nov 1 21:42:28 CET 2005
patch to fix aggressive mode + nat_traversal=yes on both ends in none
NAT environment
2005/11/1, Delta Yeh <delta.yeh at gmail.com>:
> I have fixed aggressive mode + nat_traversal=yes in none NAT environment
> and will sent you the patch later .
> But new bug was found :In NAT environment , phase 2 negotiation failed.
> According to my sniffer ,
> I 4500----->NAT -----> R 4500
> I 4500------NAT<---------R 500
>
> NAT box drop the reply packet to I:4500 because R replys with src
> port of 500 instead of 4500.
> So pluto should record with which fd the packet is received and reply
> with the same fd .
> maybe someone can fix it.
> Cheers.
>
> 2005/11/1, Paul Wouters <paul at xelerance.com>:
> > On Thu, 27 Oct 2005, mcr wrote:
> >
> > > >>>>> "Delta" == Delta Yeh <delta.yeh at gmail.com> writes:
> > > Delta> seg of auto.log 26 11:03:05 firewall pluto[21786]: "sh_bj" #1:
> > > Delta> initiating Aggressive Mode #1, connection "sh_bj" Oct 26 11:03:05
> > > Delta> firewall pluto[21786]: "sh_bj" #1: message ignored because it
> > > Delta> contains an unknown or unexpected payload type (ISAKMP_NEXT_NAT-D)
> > >
> > > Why use inferior aggressive mode with PSK for openswan<->openswan?
> > > It's less secure and harder than raw rsa keys.
> > >
> > > You can try this and let us know:
> > >`
> > > Index: demux.c
> > > ===================================================================
> > > RCS file: /xelerance/master/openswan-2/programs/pluto/demux.c,v
> > > retrieving revision 1.241
> > > diff -u -r1.241 demux.c
> > > --- demux.c 9 Oct 2005 20:30:12 -0000 1.241
> > > +++ demux.c 27 Oct 2005 05:28:26 -0000
> >
> > [....]
> >
> > That does not full work, see my logs at:
> >
> > http://bugs.xelerance.com/view.php?id=393
> >
> > Paul
> > _______________________________________________
> > Users mailing list
> > Users at openswan.org
> > http://lists.openswan.org/mailman/listinfo/users
> >
>
-------------- next part --------------
--- demux.c.orig Tue Nov 1 21:13:26 2005
+++ demux.c Tue Nov 1 21:07:57 2005
@@ -414,12 +414,12 @@
*/
{ STATE_AGGR_R0, STATE_AGGR_R1,
SMF_PSK_AUTH| SMF_REPLY,
- P(SA) | P(KE) | P(NONCE) | P(ID), P(VID), PT(NONE),
+ P(SA) | P(KE) | P(NONCE) | P(ID), P(VID) | P(NATD_RFC), PT(NONE),
EVENT_RETRANSMIT, aggr_inI1_outR1_psk },
{ STATE_AGGR_R0, STATE_AGGR_R1,
SMF_DS_AUTH | SMF_REPLY,
- P(SA) | P(KE) | P(NONCE) | P(ID), P(VID), PT(NONE),
+ P(SA) | P(KE) | P(NONCE) | P(ID), P(VID) | P(NATD_RFC), PT(NONE),
EVENT_RETRANSMIT, aggr_inI1_outR1_rsasig },
/* STATE_AGGR_I1:
@@ -2116,6 +2116,10 @@
? &isakmp_identification_desc : &isakmp_ipsec_identification_desc;
break;
#ifdef NAT_TRAVERSAL
+ case ISAKMP_NEXT_NATD_RFC:
+ np = ISAKMP_NEXT_NATD_RFC; /* NAT-D */
+ sd = payload_descs[np];
+ break;
case ISAKMP_NEXT_NATD_DRAFTS:
np = ISAKMP_NEXT_NATD_RFC; /* NAT-D relocated */
sd = payload_descs[np];
-------------- next part --------------
--- ipsec_doi.c.orig Sat Aug 13 01:05:59 2005
+++ ipsec_doi.c Tue Nov 1 21:09:01 2005
@@ -3763,7 +3763,7 @@
}
if (st->hidden_variables.st_nat_traversal & NAT_T_WITH_NATD) {
- if (!nat_traversal_add_natd(auth_payload, &md->rbody, md))
+ if (!nat_traversal_add_natd(ISAKMP_NEXT_NONE, &md->rbody, md))
return STF_INTERNAL_ERROR;
}
#endif
More information about the Users
mailing list