Re: [Ipsec-tools-devel] [PATCH] Fix matching of IPSec-SA NAT-T ports when deleting them

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

On Thu, Apr 03, 2008 at 03:32:42PM +0300, Timo Ter?s wrote:
> VANHULLEBUS Yvan wrote:
[.....]
> > Some NAT-T issues are already well known with ipsec-tools, mainly
> > because Linux and Free/NetBSD don't have exactly the same way of
> > handling port numbers.
> 
> Is there a list somewhere? I'd be happy to check these in Linux. Since
> I'm likely to bump into them sooner or later.

Actually, you'll find informations about that issue mainly in
ipsec-tools-devel's archives, and a few other ones "elsewhere" (a bit
in freebsd-net, but most discussions there have been done in private
mails, nad probably in some other places).

I started to collect and synthetize all informations in one single
place, which will be public "soon".

[...]
> > Before reporting such patch, we'll have to ensure it doesn't break
> > other things (on Linux or on Free/NetBSD), I'll try to do such tests
> > ASAP (but I know it takes some time to do that), and if other people
> > can do some tests and report on the list the exact setup they tested
> > (OS/kernel version used, ipsec-tools version, what is the peer), if
> > NAT-T still works and if DELETE-SAs are correctly send/received, it
> > would be great !
> 
> Of course. I figured BSD would do it differently, so that why I'm not
> sure if the ports should be overwritten always or the way the attached
> patch does it.
> 
> For my part, I can report that the patch fixes things for me: I'm
> running Linux 2.6.23 kernel and ipsec-tools CVS HEAD on both ends.

Some patches can be reported without problems, if and only if they are
done "the right way".

Your ipsec-sa-compare-fix.diff patch seems to be done that way (it
does things by extracting SADB_X_EXT_NAT_T_[S|D]PORT if they are
present, and doesn't change anything if they are not present), and
will probably be reported "ASAP".

Yvan.