diff options
author | Marco Pfatschbacher <mpf@cvs.openbsd.org> | 2009-01-20 14:36:20 +0000 |
---|---|---|
committer | Marco Pfatschbacher <mpf@cvs.openbsd.org> | 2009-01-20 14:36:20 +0000 |
commit | 66729e2a843c8e9110bf23a513cfbf95d3e04087 (patch) | |
tree | b485048be383611ea2acfc86d5d97f56ae3705da /sbin/isakmpd/ipsec.c | |
parent | 4c0a50691c50459754a492efc215ccabc8f9e4e1 (diff) |
Add support to isakmpd(8) and ipsecctl(8) to install SA's with a
different source network than we have negotiated with a peer.
This enables us to do nat/binat on the enc(4) interface.
Very useful to work around rfc 1918 collisions.
Manpage and testing by Mitja Muzenic. Thanks!
OK hshoexer@, markus@. "I like it" todd@
Diffstat (limited to 'sbin/isakmpd/ipsec.c')
-rw-r--r-- | sbin/isakmpd/ipsec.c | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/sbin/isakmpd/ipsec.c b/sbin/isakmpd/ipsec.c index df423c22d78..dee610aec3f 100644 --- a/sbin/isakmpd/ipsec.c +++ b/sbin/isakmpd/ipsec.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ipsec.c,v 1.130 2007/09/02 15:19:24 deraadt Exp $ */ +/* $OpenBSD: ipsec.c,v 1.131 2009/01/20 14:36:19 mpf Exp $ */ /* $EOM: ipsec.c,v 1.143 2000/12/11 23:57:42 niklas Exp $ */ /* @@ -46,6 +46,7 @@ #include "attribute.h" #include "conf.h" +#include "connection.h" #include "constants.h" #include "crypto.h" #include "dh.h" @@ -522,6 +523,22 @@ static int ipsec_set_network(u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa) { int id; + char *name, *nat = NULL; + u_int8_t *nat_id = NULL; + size_t nat_sz; + + if ((name = connection_passive_lookup_by_ids(src_id, dst_id))) + nat = conf_get_str(name, "NAT-ID"); + + if (nat) { + if ((nat_id = ipsec_build_id(nat, &nat_sz))) { + LOG_DBG((LOG_EXCHANGE, 50, "ipsec_set_network: SRC-NAT:" + " src: %s -> %s", name, nat)); + src_id = nat_id; + } else + log_print("ipsec_set_network: ipsec_build_id" + " failed for NAT-ID: %s", nat); + } /* Set source address/mask. */ id = GET_ISAKMP_ID_TYPE(src_id); @@ -594,6 +611,9 @@ ipsec_set_network(u_int8_t *src_id, u_int8_t *dst_id, struct ipsec_sa *isa) src_id + ISAKMP_ID_DOI_DATA_OFF + IPSEC_ID_PORT_OFF, IPSEC_ID_PORT_LEN); + if (nat_id) + free(nat_id); + /* Set destination address. */ id = GET_ISAKMP_ID_TYPE(dst_id); switch (id) { |