Menu
▾
▴
Re: [Ipsec-tools-devel] Null rmconf when racoon is responder
|
From: Timo T. <tim...@ik...> - 2011-04-01 05:00:12
|
Hi, On 04/01/2011 01:57 AM, Bradley Peterson wrote: > First, is there a publicly available git/svn/cvs/etc repo for > ipsec-tools? The Sourceforge CVS seems very out-of-date, and I > haven't found anything at ipsec-tools.net. cvs -da...@an...:/cvsroot co ipsec-tools Mentioned at least on http://ipsec-tools.sourceforge.net/. Should add it to the new wiki too. > Specifically, I'm concerned with a change in isakmp_ph1begin_r between > version 0.7.3 and 0.8.0. After upgrading to 0.8.0, racoon seems to be > ignoring config options in my remote anonymous when it is the > responder. The specific options are nat_traversal force and ike_frag > on. Using gdb, I see that when it gets to natt_hash_addr, > iph1->rmconf is null. In 0.7.3, iph1->rmconf is set in > isakmp_ph1begin_r, but it no longer is in 0.8.0. I would like to know > the specifics of this change and where rmconf now gets set. This is because I added support for multiple anonymous peers. The actual remote conf decision can be made late depending on e.g. certificate or identity name. However, in main mode those are not available until late in the negotiation. (While being initiator the remote conf is decided early always.) I thought I implemented the remote conf to be selected early if possible, and late if not possible early. But apparently I forgot the first test (maybe due to testing that the null remote conf would not be dereferenced). Try the patch below for this. Additionally, nat_traversal and ike_frag are options which must be announced in the very beginning of the negotiation. There's no simple way to set them if one has multiple possible remote block candidates. Currently nat_traversal is checked that if any of the matching remote conf blocks has it enabled, it's enabled. However, nat force mode seems to use different code patch and is apparently broken in this case :( The below patch should enable select remote conf early if possible. Cheers, Timo $ cvs diff -u isakmp_ident.c Index: isakmp_ident.c =================================================================== RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/isakmp_ident.c,v retrieving revision 1.13 diff -u -r1.13 isakmp_ident.c --- isakmp_ident.c 18 Sep 2009 10:31:11 -0000 1.13 +++ isakmp_ident.c 1 Apr 2011 04:56:56 -0000 @@ -929,6 +929,11 @@ goto end; } + if (resolveph1rmconf(iph1) < 0) { + plog(LLV_ERROR, LOCATION, iph1->remote, + "no matching remote configrations.\n"); + goto end; + } iph1->status = PHASE1ST_MSG1RECEIVED; error = 0; |