[Openswan Users] cannot respond to IPsec SA request

[Paul Wouters]

On Tue, 21 Mar 2006, Jacco de Leeuw wrote:

> > That has been taken care of:
> > Mar 21 16:06:32 Marnix pluto[27184]:   including NAT-Traversal patch
> > (Version 0.6c)
>
> The patch for NATed servers in transport mode has not been included in
> the Mathieu Lafon's NAT-T patch or in Openswan. So that log message is
> not an indication that it is included. You need to add that patch
> yourself and recompile Openswan.

The problem is that so much has changed in the NAT and transport mode
code, that I don't think the patch is correct anymore for anything except
for openswan 2.4.x.

Michael, can you tell me if the patch is still good for #public:

--- programs/pluto/ikev1_quick.c.NATserver      2005-03-27 22:15:09.000000000 +0200
+++ programs/pluto/ikev1_quick.c        2005-04-10 00:33:03.924943368 +0200
@@ -1526,6 +1526,19 @@
        struct connection *p = find_client_connection(c
            , our_net, his_net, b->my.proto, b->my.port, b->his.proto, b->his.port);

+#ifdef NAT_TRAVERSAL
+#ifdef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
+    if( (p1st->hidden_variables.st_nat_traversal & NAT_T_DETECTED)
+       && !(p1st->st_policy & POLICY_TUNNEL)
+       && (p1st->hidden_variables.st_nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME))
+       && (p == NULL) )
+        {
+          p = c;
+          DBG(DBG_CONTROL, DBG_log("using (something) old for transport mode connection \"%s\"", p->name));
+        }
+#endif
+#endif
+
        if (p == NULL)
        {
            /* This message occurs in very puzzling circumstances


Paul