[Ipsec-tools-commits] ipsec-tools ChangeLog,1.354,1.355

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Update of /cvsroot/ipsec-tools/ipsec-tools
In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv10736

Modified Files:
	ChangeLog 
Log Message:
Fix the client si
Resurrect racoon as a VPN client using ISAKMP mode config and NAT-T:

Because of the previous changes on NAT-T to accomodate multiple endpoints
behind the same NAT, we now try to perform a strict match of endpoint on
(address, port). For non ESP over UDP traffic, ports are always 0 so there
is no problem. 

For ESP over UDP traffic, ports are used, and the installed SP must have the
accurate ports. When racoon is a VPN client, it uses an external script to
install the SPD. This script must have the ports. When doing manual keying
with setkey, accurate ports must be supplied to setkey.

In this change:
- we modify racoon to give the local and remote IKE ports to the script
- we modify setkey so that it is now able to use ports in policy endpoints
- we modify the kernel so that it does not reject non null ports in policy 
  endpoints. This change have been committed in the NetBSD kernel
- we modify the hook scripts to use the IKE ports and give them to setkey
- racoon is also a bit changed so that remote conf are not looked up by 
  address and port. We never have any port information in remote conf, and
  now the kernel sends acquire message for a address and a port.         

Possible improvement for the future:
1) We let the user set ports in SP even if the SP does not use ESP, whereas
the ports only make sens for ESP over UDP data. Maybe intorducing an esp-udp
protocol would help here. That require large userland and kernel changes.
2) Add port information to remote conf to enable setups where multiple
responders are behind a NAT. For now only multiple endpoints behind the NAT
work only when the NATed endpoints are initators.


Index: ChangeLog
===================================================================
RCS file: /cvsroot/ipsec-tools/ipsec-tools/ChangeLog,v
retrieving revision 1.354
retrieving revision 1.355
diff -u -d -r1.354 -r1.355

--- ChangeLog	4 May 2005 17:17:23 -0000	1.354
+++ ChangeLog	5 May 2005 12:32:17 -0000	1.355
@@ -1,3 +1,16 @@
+2005-05-05  Emmanuel Dreyfus  <ma...@ne...>
+
+	* src/libipsec/{policy_parse.y|policy_token.l}
+	  src/setkey/{setkey.8|token.l}: Allow ports to be supplied in SP
+	  endpoints, for accurate ESP over UDP matching
+	* src/racoon/{isakmp.c|racoon.conf.5}: Send IKE local and remote
+	  ports to the hook scripts
+	* src/racoon/remoteconf.c: do not honour ports when looking up
+	  a remote config, as our remote config have no port information
+	* src/racoon/samples/roadwarrior/client/{phase1-up.sh|phase1-down.sh}:
+	  use the IKE ports supplied by racoon to set up acurate endpoints
+	  ports in SP endpoints
+
 2005-05-04  Yvan Vanhullebus  <va...@fr...>
 
 	* src/racoon/isakmp_inf.c: code cleanup for SPD remove, generated



