From: Emmanuel D. <ma...@us...> - 2005-05-05 12:32:28
|
Update of /cvsroot/ipsec-tools/ipsec-tools In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv10736 Modified Files: ChangeLog Log Message: Fix the client si Resurrect racoon as a VPN client using ISAKMP mode config and NAT-T: Because of the previous changes on NAT-T to accomodate multiple endpoints behind the same NAT, we now try to perform a strict match of endpoint on (address, port). For non ESP over UDP traffic, ports are always 0 so there is no problem. For ESP over UDP traffic, ports are used, and the installed SP must have the accurate ports. When racoon is a VPN client, it uses an external script to install the SPD. This script must have the ports. When doing manual keying with setkey, accurate ports must be supplied to setkey. In this change: - we modify racoon to give the local and remote IKE ports to the script - we modify setkey so that it is now able to use ports in policy endpoints - we modify the kernel so that it does not reject non null ports in policy endpoints. This change have been committed in the NetBSD kernel - we modify the hook scripts to use the IKE ports and give them to setkey - racoon is also a bit changed so that remote conf are not looked up by address and port. We never have any port information in remote conf, and now the kernel sends acquire message for a address and a port. Possible improvement for the future: 1) We let the user set ports in SP even if the SP does not use ESP, whereas the ports only make sens for ESP over UDP data. Maybe intorducing an esp-udp protocol would help here. That require large userland and kernel changes. 2) Add port information to remote conf to enable setups where multiple responders are behind a NAT. For now only multiple endpoints behind the NAT work only when the NATed endpoints are initators. Index: ChangeLog =================================================================== RCS file: /cvsroot/ipsec-tools/ipsec-tools/ChangeLog,v retrieving revision 1.354 retrieving revision 1.355 diff -u -d -r1.354 -r1.355 --- ChangeLog 4 May 2005 17:17:23 -0000 1.354 +++ ChangeLog 5 May 2005 12:32:17 -0000 1.355 @@ -1,3 +1,16 @@ +2005-05-05 Emmanuel Dreyfus <ma...@ne...> + + * src/libipsec/{policy_parse.y|policy_token.l} + src/setkey/{setkey.8|token.l}: Allow ports to be supplied in SP + endpoints, for accurate ESP over UDP matching + * src/racoon/{isakmp.c|racoon.conf.5}: Send IKE local and remote + ports to the hook scripts + * src/racoon/remoteconf.c: do not honour ports when looking up + a remote config, as our remote config have no port information + * src/racoon/samples/roadwarrior/client/{phase1-up.sh|phase1-down.sh}: + use the IKE ports supplied by racoon to set up acurate endpoints + ports in SP endpoints + 2005-05-04 Yvan Vanhullebus <va...@fr...> * src/racoon/isakmp_inf.c: code cleanup for SPD remove, generated |