[Ipsec-tools-devel] Problem with racoon version 0.8.1

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello,

I posted this on the ipsec-tools-users list, and they sent me here
instead...

I'm following the instructions in chapter 7 of the "Linux advanced
routing and traffic control howto", to set up a TCP connection
protected by IPsec. Not a VPN, and no NAT involved; just two machines
on a LAN.

With ipsec-tools 0.8.0 everything works fine, but with version 0.8.1
on one of the servers, racoon fails to establish a security
association, and nothing works.

I've traced the problem to this change between 0.8.0 and 0.8.1:

--- ipsec-tools-0.8.0/src/racoon/isakmp.c
+++ ipsec-tools-0.8.1/src/racoon/isakmp.c
@@ -2943,7 +2943,7 @@
 		port = myaddr_getsport(iph1->local);
 		if (port == 0)
 			port = PORT_ISAKMP;
-		set_port(iph1->local, PORT_ISAKMP);
+		set_port(iph1->local, port);
 	}
 
 #ifdef ENABLE_NATT

If I reverse this change, it starts working. I notice that
myaddr_setsport() is returning 4500, whereas PORT_ISAKMP has the value
500. Any idea what has gone wrong?

racoon is compiled with NAT-traversal enabled (I'm using the package
from Arch Linux), but "nat_traversal" is not turned on in the
racoon.conf file, which is just as in the "howto" except for the
obvious change to the IP addresses.

John


