From Matthew Grooms:
ike_frag force option to force the use of IKE on first packet exchange (prior to peer consent)
This commit is contained in:
parent
285ded789b
commit
c18d9daa6a
14
crypto/dist/ipsec-tools/ChangeLog
vendored
14
crypto/dist/ipsec-tools/ChangeLog
vendored
@ -1,9 +1,13 @@
|
||||
2006-09-18 Emmanuel Dreyfus <manu@netbsd.org>
|
||||
|
||||
From Matthew Grooms:
|
||||
* src/racoon/{cfparse.y|cftoken.l|isakmp.c|isakmp_frag.h}
|
||||
src/racoon/{racoon.conf.5|remoteconf.c}: ike_frag force option to
|
||||
force the use of IKE on first packet exchange (prior to peer consent)
|
||||
|
||||
2006-09-18 Yvan Vanhullebus <vanhu@NetBSD.org>
|
||||
* src/racoon/cf[parse|token].c: removed those files from the CVS,
|
||||
as they are generated during the build.
|
||||
* src/racoon/prsa_[par|tok].c: removed those files from the CVS,
|
||||
as they are generated during the build.
|
||||
* rpm/suse/ipsec-tools.spec: removed those files from the CVS,
|
||||
* src/racoon/{cfparse.c|cftoken.c|prsa_par.c|prsa_tok.c}
|
||||
rpm/suse/ipsec-tools.spec: removed those files from the CVS,
|
||||
as they are generated during the build.
|
||||
|
||||
2006-09-18 Emmanuel Dreyfus <manu@netbsd.org>
|
||||
|
13
crypto/dist/ipsec-tools/src/racoon/cfparse.y
vendored
13
crypto/dist/ipsec-tools/src/racoon/cfparse.y
vendored
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: cfparse.y,v 1.13 2006/09/09 16:22:09 manu Exp $ */
|
||||
/* $NetBSD: cfparse.y,v 1.14 2006/09/18 20:32:40 manu Exp $ */
|
||||
|
||||
/* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
|
||||
|
||||
@ -82,6 +82,8 @@
|
||||
#include "isakmp_var.h"
|
||||
#include "handler.h"
|
||||
#include "isakmp.h"
|
||||
#include "nattraversal.h"
|
||||
#include "isakmp_frag.h"
|
||||
#ifdef ENABLE_HYBRID
|
||||
#include "resolv.h"
|
||||
#include "isakmp_unity.h"
|
||||
@ -221,7 +223,7 @@ static int fix_lifebyte __P((u_long));
|
||||
%token PEERS_IDENTIFIER VERIFY_IDENTIFIER
|
||||
%token DNSSEC CERT_X509 CERT_PLAINRSA
|
||||
%token NONCE_SIZE DH_GROUP KEEPALIVE PASSIVE INITIAL_CONTACT
|
||||
%token NAT_TRAVERSAL NAT_TRAVERSAL_LEVEL
|
||||
%token NAT_TRAVERSAL REMOTE_FORCE_LEVEL
|
||||
%token PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL
|
||||
%token GENERATE_POLICY GENERATE_LEVEL SUPPORT_PROXY
|
||||
%token PROPOSAL
|
||||
@ -249,7 +251,7 @@ static int fix_lifebyte __P((u_long));
|
||||
%type <num> PREFIX prefix PORT port ike_port
|
||||
%type <num> ul_proto UL_PROTO
|
||||
%type <num> EXCHANGETYPE DOITYPE SITUATIONTYPE
|
||||
%type <num> CERTTYPE CERT_X509 CERT_PLAINRSA PROPOSAL_CHECK_LEVEL NAT_TRAVERSAL_LEVEL GENERATE_LEVEL
|
||||
%type <num> CERTTYPE CERT_X509 CERT_PLAINRSA PROPOSAL_CHECK_LEVEL REMOTE_FORCE_LEVEL GENERATE_LEVEL
|
||||
%type <num> unittype_time unittype_byte
|
||||
%type <val> QUOTEDSTRING HEXSTRING ADDRSTRING ADDRRANGE sainfo_id
|
||||
%type <val> identifierstring
|
||||
@ -1800,6 +1802,7 @@ remote_spec
|
||||
dh_group_num EOS
|
||||
| PASSIVE SWITCH { cur_rmconf->passive = $2; } EOS
|
||||
| IKE_FRAG SWITCH { cur_rmconf->ike_frag = $2; } EOS
|
||||
| IKE_FRAG REMOTE_FORCE_LEVEL { cur_rmconf->ike_frag = ISAKMP_FRAG_FORCE; } EOS
|
||||
| ESP_FRAG NUMBER {
|
||||
#ifdef SADB_X_EXT_NAT_T_FRAG
|
||||
cur_rmconf->esp_frag = $2;
|
||||
@ -1837,10 +1840,10 @@ remote_spec
|
||||
yyerror("NAT-T support not compiled in.");
|
||||
#endif
|
||||
} EOS
|
||||
| NAT_TRAVERSAL NAT_TRAVERSAL_LEVEL
|
||||
| NAT_TRAVERSAL REMOTE_FORCE_LEVEL
|
||||
{
|
||||
#ifdef ENABLE_NATT
|
||||
cur_rmconf->nat_traversal = $2;
|
||||
cur_rmconf->nat_traversal = NATT_FORCE;
|
||||
#else
|
||||
yyerror("NAT-T support not compiled in.");
|
||||
#endif
|
||||
|
5
crypto/dist/ipsec-tools/src/racoon/cftoken.l
vendored
5
crypto/dist/ipsec-tools/src/racoon/cftoken.l
vendored
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: cftoken.l,v 1.7 2006/09/09 16:22:09 manu Exp $ */
|
||||
/* $NetBSD: cftoken.l,v 1.8 2006/09/18 20:32:40 manu Exp $ */
|
||||
|
||||
/* Id: cftoken.l,v 1.53 2006/08/22 18:17:17 manubsd Exp */
|
||||
|
||||
@ -73,7 +73,6 @@
|
||||
#include "isakmp.h"
|
||||
#include "ipsec_doi.h"
|
||||
#include "proposal.h"
|
||||
#include "nattraversal.h"
|
||||
#include "remoteconf.h"
|
||||
#ifdef GC
|
||||
#include "gcmalloc.h"
|
||||
@ -340,7 +339,7 @@ hexstring 0x{hexdigit}+
|
||||
<S_RMTS>support_proxy { YYD; return(SUPPORT_PROXY); }
|
||||
<S_RMTS>initial_contact { YYD; return(INITIAL_CONTACT); }
|
||||
<S_RMTS>nat_traversal { YYD; return(NAT_TRAVERSAL); }
|
||||
<S_RMTS>force { YYD; yylval.num = NATT_FORCE; return(NAT_TRAVERSAL_LEVEL); }
|
||||
<S_RMTS>force { YYD; return(REMOTE_FORCE_LEVEL); }
|
||||
<S_RMTS>proposal_check { YYD; return(PROPOSAL_CHECK); }
|
||||
<S_RMTS>obey { YYD; yylval.num = PROP_CHECK_OBEY; return(PROPOSAL_CHECK_LEVEL); }
|
||||
<S_RMTS>strict { YYD; yylval.num = PROP_CHECK_STRICT; return(PROPOSAL_CHECK_LEVEL); }
|
||||
|
28
crypto/dist/ipsec-tools/src/racoon/isakmp.c
vendored
28
crypto/dist/ipsec-tools/src/racoon/isakmp.c
vendored
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: isakmp.c,v 1.13 2006/09/18 08:05:48 manu Exp $ */
|
||||
/* $NetBSD: isakmp.c,v 1.14 2006/09/18 20:32:40 manu Exp $ */
|
||||
|
||||
/* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
|
||||
|
||||
@ -115,6 +115,7 @@
|
||||
# include "nattraversal.h"
|
||||
# ifdef __linux__
|
||||
# include <linux/udp.h>
|
||||
# include <linux/ip.h>
|
||||
# ifndef SOL_UDP
|
||||
# define SOL_UDP 17
|
||||
# endif
|
||||
@ -123,6 +124,8 @@
|
||||
(defined(__APPLE__) && defined(__MACH__))
|
||||
# include <netinet/in.h>
|
||||
# include <netinet/udp.h>
|
||||
# include <netinet/in_systm.h>
|
||||
# include <netinet/ip.h>
|
||||
# define SOL_UDP IPPROTO_UDP
|
||||
# endif /* __NetBSD__ / __FreeBSD__ */
|
||||
#endif
|
||||
@ -199,6 +202,9 @@ isakmp_handler(so_isakmp)
|
||||
union {
|
||||
char buf[sizeof (isakmp) + 4];
|
||||
u_int32_t non_esp[2];
|
||||
char lbuf[sizeof(struct udphdr) +
|
||||
sizeof(struct ip) +
|
||||
sizeof(isakmp) + 4];
|
||||
} x;
|
||||
struct sockaddr_storage remote;
|
||||
struct sockaddr_storage local;
|
||||
@ -233,6 +239,18 @@ isakmp_handler(so_isakmp)
|
||||
goto end;
|
||||
}
|
||||
|
||||
/* Lucent IKE in UDP encapsulation */
|
||||
{
|
||||
struct udphdr *udp;
|
||||
struct ip *ip;
|
||||
|
||||
udp = (struct udphdr *)&x.lbuf[0];
|
||||
if (ntohs(udp->uh_dport) == 501) {
|
||||
ip = (struct ip *)(x.lbuf + sizeof(*udp));
|
||||
extralen += sizeof(*udp) + ip->ip_hl;
|
||||
}
|
||||
}
|
||||
|
||||
#ifdef ENABLE_NATT
|
||||
/* we don't know about portchange yet,
|
||||
look for non-esp marker instead */
|
||||
@ -1033,7 +1051,11 @@ isakmp_ph1begin_i(rmconf, remote, local)
|
||||
}
|
||||
#endif
|
||||
#ifdef ENABLE_FRAG
|
||||
iph1->frag = 0;
|
||||
|
||||
if(rmconf->ike_frag == ISAKMP_FRAG_FORCE)
|
||||
iph1->frag = 1;
|
||||
else
|
||||
iph1->frag = 0;
|
||||
iph1->frag_chain = NULL;
|
||||
#endif
|
||||
iph1->approval = NULL;
|
||||
@ -1044,6 +1066,7 @@ isakmp_ph1begin_i(rmconf, remote, local)
|
||||
delph1(iph1);
|
||||
return -1;
|
||||
}
|
||||
printf("%s: iph1->local = %p\n", __func__, iph1->local);
|
||||
|
||||
(void)insph1(iph1);
|
||||
|
||||
@ -1168,6 +1191,7 @@ isakmp_ph1begin_r(msg, remote, local, etype)
|
||||
delph1(iph1);
|
||||
return -1;
|
||||
}
|
||||
printf("%s: iph1->local = %p\n", __func__, iph1->local);
|
||||
|
||||
(void)insph1(iph1);
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: isakmp_frag.h,v 1.4 2006/09/09 16:22:09 manu Exp $ */
|
||||
/* $NetBSD: isakmp_frag.h,v 1.5 2006/09/18 20:32:40 manu Exp $ */
|
||||
|
||||
/* Id: isakmp_frag.h,v 1.3 2005/04/09 16:25:24 manubsd Exp */
|
||||
|
||||
@ -31,6 +31,12 @@
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
|
||||
/* These are the values from parsing "remote {}"
|
||||
block of the config file. */
|
||||
#define ISAKMP_FRAG_OFF FLASE /* = 0 */
|
||||
#define ISAKMP_FRAG_ON TRUE /* = 1 */
|
||||
#define ISAKMP_FRAG_FORCE 2
|
||||
|
||||
/* IKE fragmentation capabilities */
|
||||
#define VENDORID_FRAG_IDENT 0x80000000
|
||||
#define VENDORID_FRAG_BASE 0x40000000
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: isakmp_inf.c,v 1.11 2006/09/09 16:22:09 manu Exp $ */
|
||||
/* $NetBSD: isakmp_inf.c,v 1.12 2006/09/18 20:32:40 manu Exp $ */
|
||||
|
||||
/* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
|
||||
|
||||
@ -731,6 +731,7 @@ isakmp_info_send_nx(isakmp, remote, local, type, data)
|
||||
error = -1;
|
||||
goto end;
|
||||
}
|
||||
printf("%s: iph1->local = %p\n", __func__, iph1->local);
|
||||
|
||||
tlen = sizeof(*n) + spisiz;
|
||||
if (data)
|
||||
|
17
crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
vendored
17
crypto/dist/ipsec-tools/src/racoon/racoon.conf.5
vendored
@ -1,4 +1,4 @@
|
||||
.\" $NetBSD: racoon.conf.5,v 1.26 2006/09/09 16:22:10 manu Exp $
|
||||
.\" $NetBSD: racoon.conf.5,v 1.27 2006/09/18 20:32:40 manu Exp $
|
||||
.\"
|
||||
.\" Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp
|
||||
.\"
|
||||
@ -615,14 +615,17 @@ Any proposal will be accepted, and the attribute(s) will be not proposed to
|
||||
the peer if you do not specify it (them).
|
||||
They can be individually specified in each proposal.
|
||||
.\"
|
||||
.It Ic ike_frag (on | off) ;
|
||||
.It Ic ike_frag (on | off | force) ;
|
||||
Enable receiver-side IKE fragmentation, if
|
||||
.Xr racoon 8
|
||||
has been built with this feature.
|
||||
This extension is there to work around
|
||||
broken firewalls that do not work with fragmented UDP packets.
|
||||
IKE fragmentation is always enabled on the sender-side, and
|
||||
it is used if the peer advertises itself as IKE fragmentation capable.
|
||||
has been built with this feature. If set to on, racoon will advertise
|
||||
itself as being capable of receiving packets split by IKE fragmentation.
|
||||
This extension is there to work around broken firewalls that do not
|
||||
work with fragmented UDP packets. IKE fragmentation is always enabled
|
||||
on the sender-side, and it is used if the peer advertises itself as
|
||||
IKE fragmentation capable. By selecting force, IKE Fragmentation will
|
||||
be used when racoon is acting as the initiator even before the remote
|
||||
peer has advertised itself as IKE fragmentation capable.
|
||||
.\"
|
||||
.It Ic esp_frag Ar fraglen ;
|
||||
This option is only relevant if you use NAT traversal in tunnel mode.
|
||||
|
@ -1,4 +1,4 @@
|
||||
/* $NetBSD: remoteconf.c,v 1.7 2006/09/09 16:22:10 manu Exp $ */
|
||||
/* $NetBSD: remoteconf.c,v 1.8 2006/09/18 20:32:40 manu Exp $ */
|
||||
|
||||
/* Id: remoteconf.c,v 1.38 2006/05/06 15:52:44 manubsd Exp */
|
||||
|
||||
@ -77,6 +77,7 @@
|
||||
#include "strnames.h"
|
||||
#include "algorithm.h"
|
||||
#include "nattraversal.h"
|
||||
#include "isakmp_frag.h"
|
||||
#include "genlist.h"
|
||||
|
||||
static TAILQ_HEAD(_rmtree, remoteconf) rmtree, rmtree_save, rmtree_tmp;
|
||||
@ -593,7 +594,8 @@ dump_rmconf_single (struct remoteconf *p, void *data)
|
||||
plog(LLV_INFO, LOCATION, NULL, "\tpassive %s;\n",
|
||||
s_switch (p->passive));
|
||||
plog(LLV_INFO, LOCATION, NULL, "\tike_frag %s;\n",
|
||||
s_switch (p->ike_frag));
|
||||
p->ike_frag == ISAKMP_FRAG_FORCE ?
|
||||
"force" : s_switch (p->ike_frag));
|
||||
plog(LLV_INFO, LOCATION, NULL, "\tesp_frag %d;\n", p->esp_frag);
|
||||
plog(LLV_INFO, LOCATION, NULL, "\tinitial_contact %s;\n",
|
||||
s_switch (p->ini_contact));
|
||||
|
Loading…
Reference in New Issue
Block a user