Menu
▾
▴
[Ipsec-tools-devel] Addendum to p4a-p3b: patch supporting individual natt ports foreach remote connection
|
From: Wolfgang S. <wol...@di...> - 2011-11-21 18:00:39
|
Timo,
in the meanwhile I found that there was a bug in the manpage which is
related to my patch.
The manpage says, that the isakmp_natt entry in the listen block has an
optional port with no default. But in reality, the port is optional and the
default was 500.
Attached you'll find a patch which corrects this manpage description,
already considering my p4a-p3b patch, which changes the default to 4500.
Regards
Wolfgang
-----Ursprüngliche Nachricht-----
Von: Wolfgang Schmieder [mailto:wol...@di...]
Gesendet: Freitag, 18. November 2011 19:20
An: 'Timo Teräs'
Cc: ips...@li...
Betreff: Re: [Ipsec-tools-devel] patch supporting individual natt ports
foreach remote connection
Timo,
with your feedback, I am really unsure if my former patch p3 makes sense. At
least there is one small part which I extracted. This small patch fixes one
issue regarding a listen configuration without giving an explicit
isakmp_natt port number:
listen {
isakmp_natt 192.168.80.2;
}
I expected that racoon would listen on the default isakmp_natt port (4500 or
the port number passed with the -P switch). In fact racoon picked the
default isakmp port instead of the default isakmp_natt port.
The patch is based on an...@an...:/cvsroot at 2011-11-17
17:00h MEZ plus my patches p1 Version 2, p2 Version 2 p3a and p3b Version 2
which I sent yesterday evening.
Regards
Wolfgang
-----Ursprüngliche Nachricht-----
Von: Timo Teräs [mailto:tim...@gm...] Im Auftrag von Timo Teräs
Gesendet: Samstag, 12. November 2011 13:33
An: Wolfgang Schmieder
Cc: ips...@li...
Betreff: Re: [Ipsec-tools-devel] patch supporting individual natt ports for
each remote connection
Hi,
On 11/07/2011 10:17 PM, Wolfgang Schmieder wrote:
> please find attached a patch which will allow to specify individual natt
> ports for each remote connection in the racoon configuration file. The
patch
> is based on a CVS trunk snapshot from yesterday evening:
> an...@an...:/cvsroot at 2011-11-06 22:00h MEZ plus my
> previous patch p2-p1_memory_leak_fixes_parser.patch.tar.bz2.
>
>
> The configuration file syntax examples are as follows:
> remote 199.16.4.17 [501],[4501] { ... # use port 501 and natt port 4501
...
> }
>
> Alternative syntax:
> remote "remote site" { ...
> remote_address 199.16.4.17 [501],[4501] ...
> }
I'm slightly confused what this should do. Where the manpage patch that
describes this new feature?
It seems that the general idea is to specify the *remotes* ports, but
this seems to also affect the choice of local ports.
This seems to at least affect the port choices when being initiator for
a connection. Does this also afffect responder mode (that is the
incoming request does not match remote block unless ports match)?
In either case, this seems to be a tricky option, as most NAT gateways
just can go and change your port numbers, which makes this not work
properly. You'd need to have a lot of control over how the NAT box
behaves. In that case it'd probably be just easier to have separate IPs.
In addition of understanding the how this works, and why it's useful, I
also have some implementation details I'm not uncomfortable with. Mostly
to do with the "enum RMCONF_ERR", "rmconf_errinfo_t" and related error
handling. These could be simplified.
- Timo
|