Re: [Ipsec-tools-devel] Problem with racoon version 0.8.1

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Thu, 21 Nov 2013 16:33:46 +0000
John Williams <joh...@pc...> wrote:

> I'm following the instructions in chapter 7 of the "Linux advanced
> routing and traffic control howto", to set up a TCP connection
> protected by IPsec. Not a VPN, and no NAT involved; just two machines
> on a LAN.
> 
> With ipsec-tools 0.8.0 everything works fine, but with version 0.8.1
> on one of the servers, racoon fails to establish a security
> association, and nothing works.
> 
> I've traced the problem to this change between 0.8.0 and 0.8.1:
> 
> --- ipsec-tools-0.8.0/src/racoon/isakmp.c
> +++ ipsec-tools-0.8.1/src/racoon/isakmp.c
> @@ -2943,7 +2943,7 @@
>  		port = myaddr_getsport(iph1->local);
>  		if (port == 0)
>  			port = PORT_ISAKMP;
> -		set_port(iph1->local, PORT_ISAKMP);
> +		set_port(iph1->local, port);
>  	}
>  
>  #ifdef ENABLE_NATT
> 
> If I reverse this change, it starts working. I notice that
> myaddr_setsport() is returning 4500, whereas PORT_ISAKMP has the value
> 500. Any idea what has gone wrong?
> 
> racoon is compiled with NAT-traversal enabled (I'm using the package
> from Arch Linux), but "nat_traversal" is not turned on in the
> racoon.conf file, which is just as in the "howto" except for the
> obvious change to the IP addresses.

I believe this is fixed already in 0.8-branch. IIRC, the
myaddr_getsport() linux version was return bad values. There's a bunch
of other fixes in 0.8-branch too, so it might be a time to make 0.8.2
soon.

- Timo