summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHans-Joerg Hoexer <hshoexer@cvs.openbsd.org>2007-04-15 19:37:47 +0000
committerHans-Joerg Hoexer <hshoexer@cvs.openbsd.org>2007-04-15 19:37:47 +0000
commit4ff97e963e049d5e99aa0a3595ed29593130d870 (patch)
tree998d6fc897515b72e3adbf41f2a9e0e898f726cc
parent453a2d2072a61d4fbb1639b5a72c18cd2bd9ce33 (diff)
Fix interop-issue with vpn peers that start reyking on port 4500 when
NAT-T is used. Solves problems with cisco and openswan. Tested by todd@ (cisco interop), ok ho@ Original fix with Stefan Roth (stefan dot roth at siemens dot com), thanks!
-rw-r--r--sbin/isakmpd/message.c3
-rw-r--r--sbin/isakmpd/message.h5
-rw-r--r--sbin/isakmpd/udp_encap.c5
-rw-r--r--sbin/isakmpd/virtual.c12
4 files changed, 19 insertions, 6 deletions
diff --git a/sbin/isakmpd/message.c b/sbin/isakmpd/message.c
index a077171021d..b9982134b6d 100644
--- a/sbin/isakmpd/message.c
+++ b/sbin/isakmpd/message.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: message.c,v 1.123 2006/12/05 15:01:00 hshoexer Exp $ */
+/* $OpenBSD: message.c,v 1.124 2007/04/15 19:37:46 hshoexer Exp $ */
/* $EOM: message.c,v 1.156 2000/10/10 12:36:39 provos Exp $ */
/*
@@ -165,6 +165,7 @@ message_alloc_reply(struct message *msg)
reply = message_alloc(msg->transport, 0, ISAKMP_HDR_SZ);
reply->exchange = msg->exchange;
reply->isakmp_sa = msg->isakmp_sa;
+ reply->flags = msg->flags;
if (msg->isakmp_sa)
sa_reference(msg->isakmp_sa);
return reply;
diff --git a/sbin/isakmpd/message.h b/sbin/isakmpd/message.h
index 7d9b1e87431..04cf6bfac3e 100644
--- a/sbin/isakmpd/message.h
+++ b/sbin/isakmpd/message.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: message.h,v 1.24 2005/05/26 06:11:09 hshoexer Exp $ */
+/* $OpenBSD: message.h,v 1.25 2007/04/15 19:37:46 hshoexer Exp $ */
/* $EOM: message.h,v 1.51 2000/10/10 12:36:39 provos Exp $ */
/*
@@ -166,6 +166,9 @@ struct message {
/* This message has successfully been authenticated. */
#define MSG_AUTHENTICATED 0x10
+/* The message was received on the NAT-T port. */
+#define MSG_NATT 0x20
+
TAILQ_HEAD(msg_head, message);
/* The number of different ISAKMP payloads supported. */
diff --git a/sbin/isakmpd/udp_encap.c b/sbin/isakmpd/udp_encap.c
index b18b294ca50..54c4927f582 100644
--- a/sbin/isakmpd/udp_encap.c
+++ b/sbin/isakmpd/udp_encap.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: udp_encap.c,v 1.19 2006/02/02 14:33:53 hshoexer Exp $ */
+/* $OpenBSD: udp_encap.c,v 1.20 2007/04/15 19:37:46 hshoexer Exp $ */
/*
* Copyright (c) 1998, 1999, 2001 Niklas Hallqvist. All rights reserved.
@@ -404,6 +404,9 @@ udp_encap_handle_message(struct transport *t)
"packet received on transport %p", u);
return;
}
+
+ msg->flags |= MSG_NATT;
+
message_recv(msg);
}
diff --git a/sbin/isakmpd/virtual.c b/sbin/isakmpd/virtual.c
index b9e37389bf5..1a678917236 100644
--- a/sbin/isakmpd/virtual.c
+++ b/sbin/isakmpd/virtual.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: virtual.c,v 1.26 2006/06/02 19:35:55 hshoexer Exp $ */
+/* $OpenBSD: virtual.c,v 1.27 2007/04/15 19:37:46 hshoexer Exp $ */
/*
* Copyright (c) 2004 Håkan Olsson. All rights reserved.
@@ -627,10 +627,16 @@ virtual_send_message(struct message *msg, struct transport *t)
* - in other exchange (Aggressive, ), asap
* XXX ISAKMP_EXCH_BASE etc?
*/
- if (v->encap_is_active == 0 &&
+
+ if (msg->flags & MSG_NATT) {
+ msg->exchange->flags |= EXCHANGE_FLAG_NAT_T_ENABLE;
+ msg->exchange->flags |= EXCHANGE_FLAG_NAT_T_CAP_PEER;
+ }
+
+ if ((v->encap_is_active == 0 &&
(msg->exchange->flags & EXCHANGE_FLAG_NAT_T_ENABLE) &&
(msg->exchange->type != ISAKMP_EXCH_ID_PROT ||
- msg->exchange->step > 4)) {
+ msg->exchange->step > 4)) || (msg->flags & MSG_NATT)) {
LOG_DBG((LOG_MESSAGE, 10, "virtual_send_message: "
"enabling NAT-T encapsulation for this exchange"));
v->encap_is_active++;