[Openswan Users]
Paul Wouters
paul at xelerance.com
Wed Apr 26 20:22:39 CEST 2006
On Wed, 26 Apr 2006, wei minghu wrote:
> I found the uniqueids in ipsec.conf don't work when more than one
> roadworriers behind NAT. The remote client is lsipsectool, OS is Windows XP
> professional¡£
I'll investigate this issue. It might have already been addressed in #public.
(the git repository of openswan for the 2.5.x series)
Paul
> The code about this problem is in ISAKMP_SA_established():
>
> if (d->kind >= CK_PERMANENT
> && same_id(&c->spd.that.id, &d->spd.that.id)
> && !sameaddr(&c->spd.that.host_addr, &d->spd.that.host_addr))
> {
> release_connection(d, FALSE);
> }
>
> Because the IP address after NAT is not changed, so openswan think it come
> from the same client, this caused the uniqueids invalid.
>
> I found there a patch in bugs.xelerance.com from Herbert Xu:
>
> @@ -3340,8 +3340,10 @@
> struct connection *next = d->ac_next; /* might move underneath us */
>
> if (d->kind >= CK_PERMANENT
> + && same_id(&c->spd.this.id, &d->spd.this.id)
> && same_id(&c->spd.that.id, &d->spd.that.id)
> - && !sameaddr(&c->spd.that.host_addr, &d->spd.that.host_addr))
> + && (!sameaddr(&c->spd.that.host_addr, &d->spd.that.host_addr)
> + || (c->spd.that.host_port != d->spd.that.host_port)))
> {
> release_connection(d, FALSE);
> }
>
> I test it, but can't work too. because both oe the host_port are 500.
>
> I don't have any good ways for this. Can you give me some suggestions.
>
> Thanks and regards.
>
> Liuhy
>
--
Building and integrating Virtual Private Networks with Openswan:
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
More information about the Users
mailing list