Date: Wed, 05 Sep 2012 17:47:20 +0200 From: Andreas Longwitz <longwitz@incore.de> To: VANHULLEBUS Yvan <vanhu@FreeBSD.org>, freebsd-net@freebsd.org Subject: Re: Support for IPSec VPN's: some patches for netipsec/key.c Message-ID: <50477408.30003@incore.de> In-Reply-To: <20120905133822.GA4762@zeninc.net> References: <50474D5C.4020003@incore.de> <20120905133822.GA4762@zeninc.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,
>> The following patches are all for netipsec/key.c:
>>
>> I use parameter "generate_policy on" in racoon.conf. This works for
>> clients with NAT-T, but direct connected clients need the following
>> patch (likewise in ipsec-tools/roadwarrior/client/phase1-up.sh):
>>
>> @@ -1927,19 +1930,27 @@
>> #if 1
>> if (newsp->req && newsp->req->saidx.src.sa.sa_family) {
>> struct sockaddr *sa;
>> + uint16_t *pport;
>> sa = (struct sockaddr *)(src0 + 1);
>> if (sa->sa_family != newsp->req->saidx.src.sa.sa_family) {
>> _key_delsp(newsp);
>> return key_senderror(so, m, EINVAL);
>> }
>> + pport = (uint16_t *)newsp->req->saidx.src.sa.sa_data;
>> + if ( *pport == htons(500) ) /* UDP_ENCAP_ESPINUDP_PORT */
>> + *pport = 0;
>> }
>> if (newsp->req && newsp->req->saidx.dst.sa.sa_family) {
>> struct sockaddr *sa;
>> + uint16_t *pport;
>> sa = (struct sockaddr *)(dst0 + 1);
>> if (sa->sa_family != newsp->req->saidx.dst.sa.sa_family) {
>> _key_delsp(newsp);
>> return key_senderror(so, m, EINVAL);
>> }
>> + pport = (uint16_t *)newsp->req->saidx.dst.sa.sa_data;
>> + if ( *pport == htons(500) ) /* UDP_ENCAP_ESPINUDP_PORT */
>> + *pport = 0;
>> }
>> #endif
>
> I'm not sure it will happen in real life configurations, but if
> someones does really want to setup a SP entry for port 500 (tunnel
> mode, or anything else which may need that), your patch will prevent
> it from working.
Yes, I agree.
> It may be cleaner to have racoon generate the good SP entry, rather
> than kernel trying to guess what is right in a SPDADD command.
The SPDADD command is done by racoon because I have generate_policy on,
but racoon sets ports to 500 for direct connected clients. If this would
be fixed in racoon, then the above kernel patch is superfluous.
>> The last patch makes it possible for a transport mode client to open a
>> new connection to the server immediately after closing an old
>> connection. Without this patch the client must wait for the routers to
>> forget all there NAT entries.
>>
>> @@ -4065,10 +4084,12 @@
>> /*
>> * If NAT-T is enabled, check ports for tunnel mode.
>> * Do not check ports if they are set to zero in the SPD.
>> - * Also do not do it for transport mode, as there is no
>> + * Also do not do it for native transport mode, as there is no
>> * port information available in the SP.
>> */
>> - if (saidx1->mode == IPSEC_MODE_TUNNEL &&
>> + if ((saidx1->mode == IPSEC_MODE_TUNNEL ||
>> + (saidx1->mode == IPSEC_MODE_TRANSPORT &&
>> + saidx1->proto == IPPROTO_ESP)) &&
>> saidx1->src.sa.sa_family == AF_INET &&
>> saidx1->dst.sa.sa_family == AF_INET &&
>> ((const struct sockaddr_in *)(&saidx1->src))->sin_port &&
>
> Right, I'll commit it on HEAD ASAP.
Good news, thanks !
Andreas Longwitz
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?50477408.30003>