Date: Wed, 5 Sep 2012 15:38:22 +0200 From: VANHULLEBUS Yvan <vanhu@FreeBSD.org> To: freebsd-net@freebsd.org Subject: Re: Support for IPSec VPN's: some patches for netipsec/key.c Message-ID: <20120905133822.GA4762@zeninc.net> In-Reply-To: <50474D5C.4020003@incore.de> References: <50474D5C.4020003@incore.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Sep 05, 2012 at 03:02:20PM +0200, Andreas Longwitz wrote:
> Hi, as continuation of
Hi.
[....]
> The following patches are all for netipsec/key.c:
>
> I use parameter "generate_policy on" in racoon.conf. This works for
> clients with NAT-T, but direct connected clients need the following
> patch (likewise in ipsec-tools/roadwarrior/client/phase1-up.sh):
>
> @@ -1927,19 +1930,27 @@
> #if 1
> if (newsp->req && newsp->req->saidx.src.sa.sa_family) {
> struct sockaddr *sa;
> + uint16_t *pport;
> sa = (struct sockaddr *)(src0 + 1);
> if (sa->sa_family != newsp->req->saidx.src.sa.sa_family) {
> _key_delsp(newsp);
> return key_senderror(so, m, EINVAL);
> }
> + pport = (uint16_t *)newsp->req->saidx.src.sa.sa_data;
> + if ( *pport == htons(500) ) /* UDP_ENCAP_ESPINUDP_PORT */
> + *pport = 0;
> }
> if (newsp->req && newsp->req->saidx.dst.sa.sa_family) {
> struct sockaddr *sa;
> + uint16_t *pport;
> sa = (struct sockaddr *)(dst0 + 1);
> if (sa->sa_family != newsp->req->saidx.dst.sa.sa_family) {
> _key_delsp(newsp);
> return key_senderror(so, m, EINVAL);
> }
> + pport = (uint16_t *)newsp->req->saidx.dst.sa.sa_data;
> + if ( *pport == htons(500) ) /* UDP_ENCAP_ESPINUDP_PORT */
> + *pport = 0;
> }
> #endif
I'm not sure it will happen in real life configurations, but if
someones does really want to setup a SP entry for port 500 (tunnel
mode, or anything else which may need that), your patch will prevent
it from working.
It may be cleaner to have racoon generate the good SP entry, rather
than kernel trying to guess what is right in a SPDADD command.
[....]
> The last patch makes it possible for a transport mode client to open a
> new connection to the server immediately after closing an old
> connection. Without this patch the client must wait for the routers to
> forget all there NAT entries.
>
> @@ -4065,10 +4084,12 @@
> /*
> * If NAT-T is enabled, check ports for tunnel mode.
> * Do not check ports if they are set to zero in the SPD.
> - * Also do not do it for transport mode, as there is no
> + * Also do not do it for native transport mode, as there is no
> * port information available in the SP.
> */
> - if (saidx1->mode == IPSEC_MODE_TUNNEL &&
> + if ((saidx1->mode == IPSEC_MODE_TUNNEL ||
> + (saidx1->mode == IPSEC_MODE_TRANSPORT &&
> + saidx1->proto == IPPROTO_ESP)) &&
> saidx1->src.sa.sa_family == AF_INET &&
> saidx1->dst.sa.sa_family == AF_INET &&
> ((const struct sockaddr_in *)(&saidx1->src))->sin_port &&
Right, I'll commit it on HEAD ASAP.
> At the end a question: At the beginning of ip_ipsec_output() in
> ip_ipsec.c the flag PACKET_TAG_IPSEC_PENDING_TDB is used, but I can not
> find the place where this flag is set in the kernel. Can somebody
> enlighten me ?
Good question.....
According to my grep and gtags, nowhere......
Yvan.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120905133822.GA4762>