From Matthew Grooms:

ike_frag force option to force the use of IKE on first packet exchange
(prior to peer consent)
This commit is contained in:
manu 2006-09-18 20:32:40 +00:00
parent 285ded789b
commit c18d9daa6a
8 changed files with 68 additions and 26 deletions

View File

@ -1,9 +1,13 @@
2006-09-18 Emmanuel Dreyfus <manu@netbsd.org>
From Matthew Grooms:
* src/racoon/{cfparse.y|cftoken.l|isakmp.c|isakmp_frag.h}
src/racoon/{racoon.conf.5|remoteconf.c}: ike_frag force option to
force the use of IKE on first packet exchange (prior to peer consent)
2006-09-18 Yvan Vanhullebus <vanhu@NetBSD.org>
* src/racoon/cf[parse|token].c: removed those files from the CVS,
as they are generated during the build.
* src/racoon/prsa_[par|tok].c: removed those files from the CVS,
as they are generated during the build.
* rpm/suse/ipsec-tools.spec: removed those files from the CVS,
* src/racoon/{cfparse.c|cftoken.c|prsa_par.c|prsa_tok.c}
rpm/suse/ipsec-tools.spec: removed those files from the CVS,
as they are generated during the build.
2006-09-18 Emmanuel Dreyfus <manu@netbsd.org>

View File

@ -1,4 +1,4 @@
/* $NetBSD: cfparse.y,v 1.13 2006/09/09 16:22:09 manu Exp $ */
/* $NetBSD: cfparse.y,v 1.14 2006/09/18 20:32:40 manu Exp $ */
/* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
@ -82,6 +82,8 @@
#include "isakmp_var.h"
#include "handler.h"
#include "isakmp.h"
#include "nattraversal.h"
#include "isakmp_frag.h"
#ifdef ENABLE_HYBRID
#include "resolv.h"
#include "isakmp_unity.h"
@ -221,7 +223,7 @@ static int fix_lifebyte __P((u_long));
%token PEERS_IDENTIFIER VERIFY_IDENTIFIER
%token DNSSEC CERT_X509 CERT_PLAINRSA
%token NONCE_SIZE DH_GROUP KEEPALIVE PASSIVE INITIAL_CONTACT
%token NAT_TRAVERSAL NAT_TRAVERSAL_LEVEL
%token NAT_TRAVERSAL REMOTE_FORCE_LEVEL
%token PROPOSAL_CHECK PROPOSAL_CHECK_LEVEL
%token GENERATE_POLICY GENERATE_LEVEL SUPPORT_PROXY
%token PROPOSAL
@ -249,7 +251,7 @@ static int fix_lifebyte __P((u_long));
%type <num> PREFIX prefix PORT port ike_port
%type <num> ul_proto UL_PROTO
%type <num> EXCHANGETYPE DOITYPE SITUATIONTYPE
%type <num> CERTTYPE CERT_X509 CERT_PLAINRSA PROPOSAL_CHECK_LEVEL NAT_TRAVERSAL_LEVEL GENERATE_LEVEL
%type <num> CERTTYPE CERT_X509 CERT_PLAINRSA PROPOSAL_CHECK_LEVEL REMOTE_FORCE_LEVEL GENERATE_LEVEL
%type <num> unittype_time unittype_byte
%type <val> QUOTEDSTRING HEXSTRING ADDRSTRING ADDRRANGE sainfo_id
%type <val> identifierstring
@ -1800,6 +1802,7 @@ remote_spec
dh_group_num EOS
| PASSIVE SWITCH { cur_rmconf->passive = $2; } EOS
| IKE_FRAG SWITCH { cur_rmconf->ike_frag = $2; } EOS
| IKE_FRAG REMOTE_FORCE_LEVEL { cur_rmconf->ike_frag = ISAKMP_FRAG_FORCE; } EOS
| ESP_FRAG NUMBER {
#ifdef SADB_X_EXT_NAT_T_FRAG
cur_rmconf->esp_frag = $2;
@ -1837,10 +1840,10 @@ remote_spec
yyerror("NAT-T support not compiled in.");
#endif
} EOS
| NAT_TRAVERSAL NAT_TRAVERSAL_LEVEL
| NAT_TRAVERSAL REMOTE_FORCE_LEVEL
{
#ifdef ENABLE_NATT
cur_rmconf->nat_traversal = $2;
cur_rmconf->nat_traversal = NATT_FORCE;
#else
yyerror("NAT-T support not compiled in.");
#endif

View File

@ -1,4 +1,4 @@
/* $NetBSD: cftoken.l,v 1.7 2006/09/09 16:22:09 manu Exp $ */
/* $NetBSD: cftoken.l,v 1.8 2006/09/18 20:32:40 manu Exp $ */
/* Id: cftoken.l,v 1.53 2006/08/22 18:17:17 manubsd Exp */
@ -73,7 +73,6 @@
#include "isakmp.h"
#include "ipsec_doi.h"
#include "proposal.h"
#include "nattraversal.h"
#include "remoteconf.h"
#ifdef GC
#include "gcmalloc.h"
@ -340,7 +339,7 @@ hexstring 0x{hexdigit}+
<S_RMTS>support_proxy { YYD; return(SUPPORT_PROXY); }
<S_RMTS>initial_contact { YYD; return(INITIAL_CONTACT); }
<S_RMTS>nat_traversal { YYD; return(NAT_TRAVERSAL); }
<S_RMTS>force { YYD; yylval.num = NATT_FORCE; return(NAT_TRAVERSAL_LEVEL); }
<S_RMTS>force { YYD; return(REMOTE_FORCE_LEVEL); }
<S_RMTS>proposal_check { YYD; return(PROPOSAL_CHECK); }
<S_RMTS>obey { YYD; yylval.num = PROP_CHECK_OBEY; return(PROPOSAL_CHECK_LEVEL); }
<S_RMTS>strict { YYD; yylval.num = PROP_CHECK_STRICT; return(PROPOSAL_CHECK_LEVEL); }

View File

@ -1,4 +1,4 @@
/* $NetBSD: isakmp.c,v 1.13 2006/09/18 08:05:48 manu Exp $ */
/* $NetBSD: isakmp.c,v 1.14 2006/09/18 20:32:40 manu Exp $ */
/* Id: isakmp.c,v 1.74 2006/05/07 21:32:59 manubsd Exp */
@ -115,6 +115,7 @@
# include "nattraversal.h"
# ifdef __linux__
# include <linux/udp.h>
# include <linux/ip.h>
# ifndef SOL_UDP
# define SOL_UDP 17
# endif
@ -123,6 +124,8 @@
(defined(__APPLE__) && defined(__MACH__))
# include <netinet/in.h>
# include <netinet/udp.h>
# include <netinet/in_systm.h>
# include <netinet/ip.h>
# define SOL_UDP IPPROTO_UDP
# endif /* __NetBSD__ / __FreeBSD__ */
#endif
@ -199,6 +202,9 @@ isakmp_handler(so_isakmp)
union {
char buf[sizeof (isakmp) + 4];
u_int32_t non_esp[2];
char lbuf[sizeof(struct udphdr) +
sizeof(struct ip) +
sizeof(isakmp) + 4];
} x;
struct sockaddr_storage remote;
struct sockaddr_storage local;
@ -233,6 +239,18 @@ isakmp_handler(so_isakmp)
goto end;
}
/* Lucent IKE in UDP encapsulation */
{
struct udphdr *udp;
struct ip *ip;
udp = (struct udphdr *)&x.lbuf[0];
if (ntohs(udp->uh_dport) == 501) {
ip = (struct ip *)(x.lbuf + sizeof(*udp));
extralen += sizeof(*udp) + ip->ip_hl;
}
}
#ifdef ENABLE_NATT
/* we don't know about portchange yet,
look for non-esp marker instead */
@ -1033,7 +1051,11 @@ isakmp_ph1begin_i(rmconf, remote, local)
}
#endif
#ifdef ENABLE_FRAG
iph1->frag = 0;
if(rmconf->ike_frag == ISAKMP_FRAG_FORCE)
iph1->frag = 1;
else
iph1->frag = 0;
iph1->frag_chain = NULL;
#endif
iph1->approval = NULL;
@ -1044,6 +1066,7 @@ isakmp_ph1begin_i(rmconf, remote, local)
delph1(iph1);
return -1;
}
printf("%s: iph1->local = %p\n", __func__, iph1->local);
(void)insph1(iph1);
@ -1168,6 +1191,7 @@ isakmp_ph1begin_r(msg, remote, local, etype)
delph1(iph1);
return -1;
}
printf("%s: iph1->local = %p\n", __func__, iph1->local);
(void)insph1(iph1);

View File

@ -1,4 +1,4 @@
/* $NetBSD: isakmp_frag.h,v 1.4 2006/09/09 16:22:09 manu Exp $ */
/* $NetBSD: isakmp_frag.h,v 1.5 2006/09/18 20:32:40 manu Exp $ */
/* Id: isakmp_frag.h,v 1.3 2005/04/09 16:25:24 manubsd Exp */
@ -31,6 +31,12 @@
* SUCH DAMAGE.
*/
/* These are the values from parsing "remote {}"
block of the config file. */
#define ISAKMP_FRAG_OFF FLASE /* = 0 */
#define ISAKMP_FRAG_ON TRUE /* = 1 */
#define ISAKMP_FRAG_FORCE 2
/* IKE fragmentation capabilities */
#define VENDORID_FRAG_IDENT 0x80000000
#define VENDORID_FRAG_BASE 0x40000000

View File

@ -1,4 +1,4 @@
/* $NetBSD: isakmp_inf.c,v 1.11 2006/09/09 16:22:09 manu Exp $ */
/* $NetBSD: isakmp_inf.c,v 1.12 2006/09/18 20:32:40 manu Exp $ */
/* Id: isakmp_inf.c,v 1.44 2006/05/06 20:45:52 manubsd Exp */
@ -731,6 +731,7 @@ isakmp_info_send_nx(isakmp, remote, local, type, data)
error = -1;
goto end;
}
printf("%s: iph1->local = %p\n", __func__, iph1->local);
tlen = sizeof(*n) + spisiz;
if (data)

View File

@ -1,4 +1,4 @@
.\" $NetBSD: racoon.conf.5,v 1.26 2006/09/09 16:22:10 manu Exp $
.\" $NetBSD: racoon.conf.5,v 1.27 2006/09/18 20:32:40 manu Exp $
.\"
.\" Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp
.\"
@ -615,14 +615,17 @@ Any proposal will be accepted, and the attribute(s) will be not proposed to
the peer if you do not specify it (them).
They can be individually specified in each proposal.
.\"
.It Ic ike_frag (on | off) ;
.It Ic ike_frag (on | off | force) ;
Enable receiver-side IKE fragmentation, if
.Xr racoon 8
has been built with this feature.
This extension is there to work around
broken firewalls that do not work with fragmented UDP packets.
IKE fragmentation is always enabled on the sender-side, and
it is used if the peer advertises itself as IKE fragmentation capable.
has been built with this feature. If set to on, racoon will advertise
itself as being capable of receiving packets split by IKE fragmentation.
This extension is there to work around broken firewalls that do not
work with fragmented UDP packets. IKE fragmentation is always enabled
on the sender-side, and it is used if the peer advertises itself as
IKE fragmentation capable. By selecting force, IKE Fragmentation will
be used when racoon is acting as the initiator even before the remote
peer has advertised itself as IKE fragmentation capable.
.\"
.It Ic esp_frag Ar fraglen ;
This option is only relevant if you use NAT traversal in tunnel mode.

View File

@ -1,4 +1,4 @@
/* $NetBSD: remoteconf.c,v 1.7 2006/09/09 16:22:10 manu Exp $ */
/* $NetBSD: remoteconf.c,v 1.8 2006/09/18 20:32:40 manu Exp $ */
/* Id: remoteconf.c,v 1.38 2006/05/06 15:52:44 manubsd Exp */
@ -77,6 +77,7 @@
#include "strnames.h"
#include "algorithm.h"
#include "nattraversal.h"
#include "isakmp_frag.h"
#include "genlist.h"
static TAILQ_HEAD(_rmtree, remoteconf) rmtree, rmtree_save, rmtree_tmp;
@ -593,7 +594,8 @@ dump_rmconf_single (struct remoteconf *p, void *data)
plog(LLV_INFO, LOCATION, NULL, "\tpassive %s;\n",
s_switch (p->passive));
plog(LLV_INFO, LOCATION, NULL, "\tike_frag %s;\n",
s_switch (p->ike_frag));
p->ike_frag == ISAKMP_FRAG_FORCE ?
"force" : s_switch (p->ike_frag));
plog(LLV_INFO, LOCATION, NULL, "\tesp_frag %d;\n", p->esp_frag);
plog(LLV_INFO, LOCATION, NULL, "\tinitial_contact %s;\n",
s_switch (p->ini_contact));