diff options
author | Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org> | 2007-04-15 19:37:47 +0000 |
---|---|---|
committer | Hans-Joerg Hoexer <hshoexer@cvs.openbsd.org> | 2007-04-15 19:37:47 +0000 |
commit | 4ff97e963e049d5e99aa0a3595ed29593130d870 (patch) | |
tree | 998d6fc897515b72e3adbf41f2a9e0e898f726cc | |
parent | 453a2d2072a61d4fbb1639b5a72c18cd2bd9ce33 (diff) |
Fix interop-issue with vpn peers that start reyking on port 4500 when
NAT-T is used. Solves problems with cisco and openswan.
Tested by todd@ (cisco interop), ok ho@
Original fix with Stefan Roth (stefan dot roth at siemens dot com),
thanks!
-rw-r--r-- | sbin/isakmpd/message.c | 3 | ||||
-rw-r--r-- | sbin/isakmpd/message.h | 5 | ||||
-rw-r--r-- | sbin/isakmpd/udp_encap.c | 5 | ||||
-rw-r--r-- | sbin/isakmpd/virtual.c | 12 |
4 files changed, 19 insertions, 6 deletions
diff --git a/sbin/isakmpd/message.c b/sbin/isakmpd/message.c index a077171021d..b9982134b6d 100644 --- a/sbin/isakmpd/message.c +++ b/sbin/isakmpd/message.c @@ -1,4 +1,4 @@ -/* $OpenBSD: message.c,v 1.123 2006/12/05 15:01:00 hshoexer Exp $ */ +/* $OpenBSD: message.c,v 1.124 2007/04/15 19:37:46 hshoexer Exp $ */ /* $EOM: message.c,v 1.156 2000/10/10 12:36:39 provos Exp $ */ /* @@ -165,6 +165,7 @@ message_alloc_reply(struct message *msg) reply = message_alloc(msg->transport, 0, ISAKMP_HDR_SZ); reply->exchange = msg->exchange; reply->isakmp_sa = msg->isakmp_sa; + reply->flags = msg->flags; if (msg->isakmp_sa) sa_reference(msg->isakmp_sa); return reply; diff --git a/sbin/isakmpd/message.h b/sbin/isakmpd/message.h index 7d9b1e87431..04cf6bfac3e 100644 --- a/sbin/isakmpd/message.h +++ b/sbin/isakmpd/message.h @@ -1,4 +1,4 @@ -/* $OpenBSD: message.h,v 1.24 2005/05/26 06:11:09 hshoexer Exp $ */ +/* $OpenBSD: message.h,v 1.25 2007/04/15 19:37:46 hshoexer Exp $ */ /* $EOM: message.h,v 1.51 2000/10/10 12:36:39 provos Exp $ */ /* @@ -166,6 +166,9 @@ struct message { /* This message has successfully been authenticated. */ #define MSG_AUTHENTICATED 0x10 +/* The message was received on the NAT-T port. */ +#define MSG_NATT 0x20 + TAILQ_HEAD(msg_head, message); /* The number of different ISAKMP payloads supported. */ diff --git a/sbin/isakmpd/udp_encap.c b/sbin/isakmpd/udp_encap.c index b18b294ca50..54c4927f582 100644 --- a/sbin/isakmpd/udp_encap.c +++ b/sbin/isakmpd/udp_encap.c @@ -1,4 +1,4 @@ -/* $OpenBSD: udp_encap.c,v 1.19 2006/02/02 14:33:53 hshoexer Exp $ */ +/* $OpenBSD: udp_encap.c,v 1.20 2007/04/15 19:37:46 hshoexer Exp $ */ /* * Copyright (c) 1998, 1999, 2001 Niklas Hallqvist. All rights reserved. @@ -404,6 +404,9 @@ udp_encap_handle_message(struct transport *t) "packet received on transport %p", u); return; } + + msg->flags |= MSG_NATT; + message_recv(msg); } diff --git a/sbin/isakmpd/virtual.c b/sbin/isakmpd/virtual.c index b9e37389bf5..1a678917236 100644 --- a/sbin/isakmpd/virtual.c +++ b/sbin/isakmpd/virtual.c @@ -1,4 +1,4 @@ -/* $OpenBSD: virtual.c,v 1.26 2006/06/02 19:35:55 hshoexer Exp $ */ +/* $OpenBSD: virtual.c,v 1.27 2007/04/15 19:37:46 hshoexer Exp $ */ /* * Copyright (c) 2004 Håkan Olsson. All rights reserved. @@ -627,10 +627,16 @@ virtual_send_message(struct message *msg, struct transport *t) * - in other exchange (Aggressive, ), asap * XXX ISAKMP_EXCH_BASE etc? */ - if (v->encap_is_active == 0 && + + if (msg->flags & MSG_NATT) { + msg->exchange->flags |= EXCHANGE_FLAG_NAT_T_ENABLE; + msg->exchange->flags |= EXCHANGE_FLAG_NAT_T_CAP_PEER; + } + + if ((v->encap_is_active == 0 && (msg->exchange->flags & EXCHANGE_FLAG_NAT_T_ENABLE) && (msg->exchange->type != ISAKMP_EXCH_ID_PROT || - msg->exchange->step > 4)) { + msg->exchange->step > 4)) || (msg->flags & MSG_NATT)) { LOG_DBG((LOG_MESSAGE, 10, "virtual_send_message: " "enabling NAT-T encapsulation for this exchange")); v->encap_is_active++; |