From: Wolfgang S. <wol...@di...> - 2011-11-21 18:00:39
|
Timo, in the meanwhile I found that there was a bug in the manpage which is related to my patch. The manpage says, that the isakmp_natt entry in the listen block has an optional port with no default. But in reality, the port is optional and the default was 500. Attached you'll find a patch which corrects this manpage description, already considering my p4a-p3b patch, which changes the default to 4500. Regards Wolfgang -----Ursprüngliche Nachricht----- Von: Wolfgang Schmieder [mailto:wol...@di...] Gesendet: Freitag, 18. November 2011 19:20 An: 'Timo Teräs' Cc: ips...@li... Betreff: Re: [Ipsec-tools-devel] patch supporting individual natt ports foreach remote connection Timo, with your feedback, I am really unsure if my former patch p3 makes sense. At least there is one small part which I extracted. This small patch fixes one issue regarding a listen configuration without giving an explicit isakmp_natt port number: listen { isakmp_natt 192.168.80.2; } I expected that racoon would listen on the default isakmp_natt port (4500 or the port number passed with the -P switch). In fact racoon picked the default isakmp port instead of the default isakmp_natt port. The patch is based on an...@an...:/cvsroot at 2011-11-17 17:00h MEZ plus my patches p1 Version 2, p2 Version 2 p3a and p3b Version 2 which I sent yesterday evening. Regards Wolfgang -----Ursprüngliche Nachricht----- Von: Timo Teräs [mailto:tim...@gm...] Im Auftrag von Timo Teräs Gesendet: Samstag, 12. November 2011 13:33 An: Wolfgang Schmieder Cc: ips...@li... Betreff: Re: [Ipsec-tools-devel] patch supporting individual natt ports for each remote connection Hi, On 11/07/2011 10:17 PM, Wolfgang Schmieder wrote: > please find attached a patch which will allow to specify individual natt > ports for each remote connection in the racoon configuration file. The patch > is based on a CVS trunk snapshot from yesterday evening: > an...@an...:/cvsroot at 2011-11-06 22:00h MEZ plus my > previous patch p2-p1_memory_leak_fixes_parser.patch.tar.bz2. > > > The configuration file syntax examples are as follows: > remote 199.16.4.17 [501],[4501] { ... # use port 501 and natt port 4501 ... > } > > Alternative syntax: > remote "remote site" { ... > remote_address 199.16.4.17 [501],[4501] ... > } I'm slightly confused what this should do. Where the manpage patch that describes this new feature? It seems that the general idea is to specify the *remotes* ports, but this seems to also affect the choice of local ports. This seems to at least affect the port choices when being initiator for a connection. Does this also afffect responder mode (that is the incoming request does not match remote block unless ports match)? In either case, this seems to be a tricky option, as most NAT gateways just can go and change your port numbers, which makes this not work properly. You'd need to have a lot of control over how the NAT box behaves. In that case it'd probably be just easier to have separate IPs. In addition of understanding the how this works, and why it's useful, I also have some implementation details I'm not uncomfortable with. Mostly to do with the "enum RMCONF_ERR", "rmconf_errinfo_t" and related error handling. These could be simplified. - Timo |