FreeBSD Mail Archives

Date:      Wed, 27 Mar 2019 08:56:35 +0000 (UTC)
From:      Eugene Grosbein <eugen@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r496938 - in head/security/ipsec-tools: . files
Message-ID:  <201903270856.x2R8uZhC040308@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help

Author: eugen
Date: Wed Mar 27 08:56:35 2019
New Revision: 496938
URL: https://svnweb.freebsd.org/changeset/ports/496938

Log:
  security/ipsec-tools: small correction NATT patch
  
  This change fixes rare case for "site to site" IPSec tunnel mode
  when remote peer is behind NAT and has its own LAN behind.
  Now this works too (previously NATT worked only for single host behind NAT).

Modified:
  head/security/ipsec-tools/Makefile
  head/security/ipsec-tools/files/natt.diff

Modified: head/security/ipsec-tools/Makefile
==============================================================================
--- head/security/ipsec-tools/Makefile	Wed Mar 27 08:36:30 2019	(r496937)
+++ head/security/ipsec-tools/Makefile	Wed Mar 27 08:56:35 2019	(r496938)
@@ -8,7 +8,7 @@
 
 PORTNAME=	ipsec-tools
 PORTVERSION=	0.8.2
-PORTREVISION=	7
+PORTREVISION=	8
 CATEGORIES=	security
 MASTER_SITES=	SF
 

Modified: head/security/ipsec-tools/files/natt.diff
==============================================================================
--- head/security/ipsec-tools/files/natt.diff	Wed Mar 27 08:36:30 2019	(r496937)
+++ head/security/ipsec-tools/files/natt.diff	Wed Mar 27 08:56:35 2019	(r496938)
@@ -82,12 +82,14 @@
  	return pfkey_send_add2(&psaa);
 --- src/racoon/isakmp_quick.c
 +++ src/racoon/isakmp_quick.c
-@@ -2390,6 +2390,32 @@ get_proposal_r(iph2)
+@@ -2390,6 +2390,34 @@
  			     spidx.src.ss_family, spidx.dst.ss_family,
  			     _XIDT(iph2->id_p),idi2type);
  		}
 +#ifdef ENABLE_NATT
-+		if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) {
++		if (iph2->ph1->natt_flags & NAT_DETECTED_PEER
++		    && _XIDT(iph2->id) != IPSECDOI_ID_IPV4_ADDR_SUBNET
++		    && _XIDT(iph2->id) != IPSECDOI_ID_IPV6_ADDR_SUBNET) {
 +			u_int16_t port;
 +
 +			port = extract_port(&spidx.src);

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201903270856.x2R8uZhC040308>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation