Support for IPSec VPN's: some patches for netipsec/key.c

Wed Sep 5 15:47:23 UTC 2012

Hi,

>> The following patches are all for netipsec/key.c:
>>
>> I use parameter "generate_policy on" in racoon.conf. This works for
>> clients with NAT-T, but direct connected clients need the following
>> patch (likewise in ipsec-tools/roadwarrior/client/phase1-up.sh):
>>
>> @@ -1927,19 +1930,27 @@
>>  #if 1
>>         if (newsp->req && newsp->req->saidx.src.sa.sa_family) {
>>               struct sockaddr *sa;
>> +             uint16_t *pport;
>>               sa = (struct sockaddr *)(src0 + 1);
>>               if (sa->sa_family != newsp->req->saidx.src.sa.sa_family) {
>>                       _key_delsp(newsp);
>>                       return key_senderror(so, m, EINVAL);
>>               }
>> +             pport = (uint16_t *)newsp->req->saidx.src.sa.sa_data;
>> +             if ( *pport == htons(500) ) /* UDP_ENCAP_ESPINUDP_PORT */
>> +                *pport = 0;
>>         }
>>         if (newsp->req && newsp->req->saidx.dst.sa.sa_family) {
>>               struct sockaddr *sa;
>> +             uint16_t *pport;
>>               sa = (struct sockaddr *)(dst0 + 1);
>>               if (sa->sa_family != newsp->req->saidx.dst.sa.sa_family) {
>>                       _key_delsp(newsp);
>>                       return key_senderror(so, m, EINVAL);
>>               }
>> +             pport = (uint16_t *)newsp->req->saidx.dst.sa.sa_data;
>> +             if ( *pport == htons(500) ) /* UDP_ENCAP_ESPINUDP_PORT */
>> +                *pport = 0;
>>         }
>>  #endif
> 
> I'm not sure it will happen in real life configurations, but if
> someones does really want to setup a SP entry for port 500 (tunnel
> mode, or anything else which may need that), your patch will prevent
> it from working.

Yes, I agree.

> It may be cleaner to have racoon generate the good SP entry, rather
> than kernel trying to guess what is right in a SPDADD command.

The SPDADD command is done by racoon because I have generate_policy on,
but racoon sets ports to 500 for direct connected clients. If this would
be fixed in racoon, then the above kernel patch is superfluous.

>> The last patch makes it possible for a transport mode client to open a
>> new connection to the server immediately after closing an old
>> connection. Without this patch the client must wait for the routers to
>> forget all there NAT entries.
>>
>> @@ -4065,10 +4084,12 @@
>>           /*
>>            * If NAT-T is enabled, check ports for tunnel mode.
>>            * Do not check ports if they are set to zero in the SPD.
>> -          * Also do not do it for transport mode, as there is no
>> +          * Also do not do it for native transport mode, as there is no
>>            * port information available in the SP.
>>            */
>> -         if (saidx1->mode == IPSEC_MODE_TUNNEL &&
>> +         if ((saidx1->mode == IPSEC_MODE_TUNNEL ||
>> +             (saidx1->mode == IPSEC_MODE_TRANSPORT &&
>> +             saidx1->proto == IPPROTO_ESP)) &&
>>               saidx1->src.sa.sa_family == AF_INET &&
>>               saidx1->dst.sa.sa_family == AF_INET &&
>>               ((const struct sockaddr_in *)(&saidx1->src))->sin_port &&
> 
> Right, I'll commit it on HEAD ASAP.

Good news, thanks !

Andreas Longwitz