summaryrefslogtreecommitdiff
path: root/sbin/isakmpd/ipsec.c
diff options
context:
space:
mode:
authorMarco Pfatschbacher <mpf@cvs.openbsd.org>2009-01-20 14:36:20 +0000
committerMarco Pfatschbacher <mpf@cvs.openbsd.org>2009-01-20 14:36:20 +0000
commit66729e2a843c8e9110bf23a513cfbf95d3e04087 (patch)
treeb485048be383611ea2acfc86d5d97f56ae3705da /sbin/isakmpd/ipsec.c
parent4c0a50691c50459754a492efc215ccabc8f9e4e1 (diff)
Add support to isakmpd(8) and ipsecctl(8) to install SA's with a
different source network than we have negotiated with a peer. This enables us to do nat/binat on the enc(4) interface. Very useful to work around rfc 1918 collisions. Manpage and testing by Mitja Muzenic. Thanks! OK hshoexer@, markus@. "I like it" todd@
Diffstat (limited to 'sbin/isakmpd/ipsec.c')
-rw-r--r--sbin/isakmpd/ipsec.c22
1 files changed, 21 insertions, 1 deletions
diff --git a/sbin/isakmpd/ipsec.c b/sbin/isakmpd/ipsec.c
index df423c22d78..dee610aec3f 100644
--- a/sbin/isakmpd/ipsec.c
+++ b/sbin/isakmpd/ipsec.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ipsec.c,v 1.130 2007/09/02 15:19:24 deraadt Exp $ */
+/* $OpenBSD: ipsec.c,v 1.131 2009/01/20 14:36:19 mpf Exp $ */
/* $EOM: ipsec.c,v 1.143 2000/12/11 23:57:42 niklas Exp $ */
/*
@@ -46,6 +46,7 @@
#include "attribute.h"
#include "conf.h"
+#include "connection.h"
#include "constants.h"
#include "crypto.h"
#include "dh.h"
@@ -522,6 +523,22 @@ static int
ipsec_set_network(u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa)
{
int id;
+ char *name, *nat = NULL;
+ u_int8_t *nat_id = NULL;
+ size_t nat_sz;
+
+ if ((name = connection_passive_lookup_by_ids(src_id, dst_id)))
+ nat = conf_get_str(name, "NAT-ID");
+
+ if (nat) {
+ if ((nat_id = ipsec_build_id(nat, &nat_sz))) {
+ LOG_DBG((LOG_EXCHANGE, 50, "ipsec_set_network: SRC-NAT:"
+ " src: %s -> %s", name, nat));
+ src_id = nat_id;
+ } else
+ log_print("ipsec_set_network: ipsec_build_id"
+ " failed for NAT-ID: %s", nat);
+ }
/* Set source address/mask. */
id = GET_ISAKMP_ID_TYPE(src_id);
@@ -594,6 +611,9 @@ ipsec_set_network(u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa)
src_id + ISAKMP_ID_DOI_DATA_OFF + IPSEC_ID_PORT_OFF,
IPSEC_ID_PORT_LEN);
+ if (nat_id)
+ free(nat_id);
+
/* Set destination address. */
id = GET_ISAKMP_ID_TYPE(dst_id);
switch (id) {