|
|
|
|
@@ -1,550 +0,0 @@
|
|
|
|
|
diff -Naur openswan-2.6.20.org/linux/include/openswan/ipsec_kversion.h openswan-2.6.20/linux/include/openswan/ipsec_kversion.h
|
|
|
|
|
--- openswan-2.6.20.org/linux/include/openswan/ipsec_kversion.h 2009-02-10 05:54:47.000000000 +0100
|
|
|
|
|
+++ openswan-2.6.20/linux/include/openswan/ipsec_kversion.h 2009-03-14 22:36:22.000000000 +0100
|
|
|
|
|
@@ -302,9 +302,11 @@
|
|
|
|
|
# define HAVE_KMEM_CACHE_MACRO
|
|
|
|
|
|
|
|
|
|
/* Try using the new kernel encaps hook for nat-t, instead of udp.c */
|
|
|
|
|
-# ifdef NOT_YET_FINISHED
|
|
|
|
|
-# define HAVE_UDP_ENCAP_CONVERT
|
|
|
|
|
-# endif
|
|
|
|
|
+#if !defined(CONFIG_IPSEC_NAT_TRAVERSAL) || CONFIG_IPSEC_NAT_TRAVERSAL == 0
|
|
|
|
|
+# define HAVE_UDP_ENCAP_CONVERT
|
|
|
|
|
+#else
|
|
|
|
|
+# warning "It seems you are using a post 2.6.22 kernel with the NAT-T-patch - please consider using the new ENCAP nat-traversal code"
|
|
|
|
|
+#endif
|
|
|
|
|
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
diff -Naur openswan-2.6.20.org/linux/include/openswan/ipsec_param.h openswan-2.6.20/linux/include/openswan/ipsec_param.h
|
|
|
|
|
--- openswan-2.6.20.org/linux/include/openswan/ipsec_param.h 2009-02-10 05:54:47.000000000 +0100
|
|
|
|
|
+++ openswan-2.6.20/linux/include/openswan/ipsec_param.h 2009-03-14 22:36:22.000000000 +0100
|
|
|
|
|
@@ -76,6 +76,12 @@
|
|
|
|
|
#endif /* __KERNEL__ */
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
+ * These constants are used to indicate what type of NAT-T code is used
|
|
|
|
|
+ */
|
|
|
|
|
+#define NAT_OLD_STYLE 1
|
|
|
|
|
+#define NAT_NEW_STYLE 2
|
|
|
|
|
+
|
|
|
|
|
+/*
|
|
|
|
|
* This is for the SA reference table. This number is related to the
|
|
|
|
|
* maximum number of SAs that KLIPS can concurrently deal with, plus enough
|
|
|
|
|
* space for keeping expired SAs around.
|
|
|
|
|
@@ -252,6 +258,10 @@
|
|
|
|
|
#endif
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
+#ifdef HAVE_UDP_ENCAP_CONVERT
|
|
|
|
|
+# define NAT_TRAVERSAL 1
|
|
|
|
|
+#endif
|
|
|
|
|
+
|
|
|
|
|
#ifndef IPSEC_DEFAULT_TTL
|
|
|
|
|
#define IPSEC_DEFAULT_TTL 64
|
|
|
|
|
#endif
|
|
|
|
|
diff -Naur openswan-2.6.20.org/linux/include/openswan/ipsec_rcv.h openswan-2.6.20/linux/include/openswan/ipsec_rcv.h
|
|
|
|
|
--- openswan-2.6.20.org/linux/include/openswan/ipsec_rcv.h 2009-02-10 05:54:47.000000000 +0100
|
|
|
|
|
+++ openswan-2.6.20/linux/include/openswan/ipsec_rcv.h 2009-03-14 22:36:22.000000000 +0100
|
|
|
|
|
@@ -136,7 +136,7 @@
|
|
|
|
|
struct ipcomphdr *compp;
|
|
|
|
|
} ipcompstuff;
|
|
|
|
|
} protostuff;
|
|
|
|
|
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
|
|
|
|
|
+#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
|
|
|
|
|
__u8 natt_type;
|
|
|
|
|
__u16 natt_sport;
|
|
|
|
|
__u16 natt_dport;
|
|
|
|
|
diff -Naur openswan-2.6.20.org/linux/include/openswan/ipsec_tunnel.h openswan-2.6.20/linux/include/openswan/ipsec_tunnel.h
|
|
|
|
|
--- openswan-2.6.20.org/linux/include/openswan/ipsec_tunnel.h 2009-02-10 05:54:47.000000000 +0100
|
|
|
|
|
+++ openswan-2.6.20/linux/include/openswan/ipsec_tunnel.h 2009-03-14 22:36:22.000000000 +0100
|
|
|
|
|
@@ -44,6 +44,12 @@
|
|
|
|
|
#define cf_name cf_u.cfu_name
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
+struct nattraversalconf
|
|
|
|
|
+{
|
|
|
|
|
+ uint32_t cf_fd;
|
|
|
|
|
+ uint32_t cf_type;
|
|
|
|
|
+};
|
|
|
|
|
+
|
|
|
|
|
#define IPSEC_SET_DEV (SIOCDEVPRIVATE)
|
|
|
|
|
#define IPSEC_DEL_DEV (SIOCDEVPRIVATE + 1)
|
|
|
|
|
#define IPSEC_CLR_DEV (SIOCDEVPRIVATE + 2)
|
|
|
|
|
diff -Naur openswan-2.6.20.org/linux/include/openswan/ipsec_xmit.h openswan-2.6.20/linux/include/openswan/ipsec_xmit.h
|
|
|
|
|
--- openswan-2.6.20.org/linux/include/openswan/ipsec_xmit.h 2009-02-10 05:54:47.000000000 +0100
|
|
|
|
|
+++ openswan-2.6.20/linux/include/openswan/ipsec_xmit.h 2009-03-14 22:36:22.000000000 +0100
|
|
|
|
|
@@ -124,7 +124,7 @@
|
|
|
|
|
#endif /* NET_21 */
|
|
|
|
|
uint32_t eroute_pid;
|
|
|
|
|
struct ipsec_sa ips;
|
|
|
|
|
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
|
|
|
|
|
+#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
|
|
|
|
|
uint8_t natt_type;
|
|
|
|
|
uint8_t natt_head;
|
|
|
|
|
uint16_t natt_sport;
|
|
|
|
|
diff -Naur openswan-2.6.20.org/linux/net/ipsec/ipsec_mast.c openswan-2.6.20/linux/net/ipsec/ipsec_mast.c
|
|
|
|
|
--- openswan-2.6.20.org/linux/net/ipsec/ipsec_mast.c 2009-02-10 05:54:47.000000000 +0100
|
|
|
|
|
+++ openswan-2.6.20/linux/net/ipsec/ipsec_mast.c 2009-03-14 22:36:22.000000000 +0100
|
|
|
|
|
@@ -235,7 +235,7 @@
|
|
|
|
|
goto cleanup;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
|
|
|
|
|
+#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
|
|
|
|
|
/* do any final NAT-encapsulation */
|
|
|
|
|
stat = ipsec_nat_encap(ixs);
|
|
|
|
|
if(stat != IPSEC_XMIT_OK) {
|
|
|
|
|
diff -Naur openswan-2.6.20.org/linux/net/ipsec/ipsec_proc.c openswan-2.6.20/linux/net/ipsec/ipsec_proc.c
|
|
|
|
|
--- openswan-2.6.20.org/linux/net/ipsec/ipsec_proc.c 2009-02-10 05:54:47.000000000 +0100
|
|
|
|
|
+++ openswan-2.6.20/linux/net/ipsec/ipsec_proc.c 2009-03-14 22:36:22.000000000 +0100
|
|
|
|
|
@@ -368,7 +368,7 @@
|
|
|
|
|
}
|
|
|
|
|
#endif /* CONFIG_KLIPS_IPCOMP */
|
|
|
|
|
|
|
|
|
|
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
|
|
|
|
|
+#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
|
|
|
|
|
{
|
|
|
|
|
char *natttype_name;
|
|
|
|
|
|
|
|
|
|
@@ -635,11 +635,15 @@
|
|
|
|
|
return len;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
|
|
|
|
|
-unsigned int natt_available = 1;
|
|
|
|
|
+#if defined(CONFIG_IPSEC_NAT_TRAVERSAL)
|
|
|
|
|
+unsigned int natt_available = NAT_OLD_STYLE;
|
|
|
|
|
+#else
|
|
|
|
|
+#if defined(HAVE_UDP_ENCAP_CONVERT)
|
|
|
|
|
+unsigned int natt_available = NAT_NEW_STYLE;
|
|
|
|
|
#else
|
|
|
|
|
unsigned int natt_available = 0;
|
|
|
|
|
#endif
|
|
|
|
|
+#endif
|
|
|
|
|
module_param(natt_available,int,0644);
|
|
|
|
|
|
|
|
|
|
IPSEC_PROCFS_DEBUG_NO_STATIC
|
|
|
|
|
@@ -654,11 +658,15 @@
|
|
|
|
|
|
|
|
|
|
len += ipsec_snprintf(buffer + len,
|
|
|
|
|
length-len, "%d\n",
|
|
|
|
|
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
|
|
|
|
|
- 1
|
|
|
|
|
+#if defined(CONFIG_IPSEC_NAT_TRAVERSAL)
|
|
|
|
|
+ NAT_OLD_STYLE
|
|
|
|
|
+#else
|
|
|
|
|
+#if defined(HAVE_UDP_ENCAP_CONVERT)
|
|
|
|
|
+ NAT_NEW_STYLE
|
|
|
|
|
#else
|
|
|
|
|
0
|
|
|
|
|
#endif
|
|
|
|
|
+#endif
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
*start = buffer + (offset - begin); /* Start of wanted data */
|
|
|
|
|
diff -Naur openswan-2.6.20.org/linux/net/ipsec/ipsec_rcv.c openswan-2.6.20/linux/net/ipsec/ipsec_rcv.c
|
|
|
|
|
--- openswan-2.6.20.org/linux/net/ipsec/ipsec_rcv.c 2009-02-10 05:54:47.000000000 +0100
|
|
|
|
|
+++ openswan-2.6.20/linux/net/ipsec/ipsec_rcv.c 2009-03-14 22:41:35.000000000 +0100
|
|
|
|
|
@@ -1054,7 +1054,7 @@
|
|
|
|
|
irs->sa_len ? irs->sa : " (error)");
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
|
|
|
|
|
+#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
|
|
|
|
|
if (irs->proto == IPPROTO_ESP) {
|
|
|
|
|
KLIPS_PRINT(debug_rcv,
|
|
|
|
|
"klips_debug:ipsec_rcv: "
|
|
|
|
|
@@ -1172,7 +1172,7 @@
|
|
|
|
|
* if skb->sk is guaranteed to be valid here.
|
|
|
|
|
* 2005-04-16: mcr@xelerance.com
|
|
|
|
|
*/
|
|
|
|
|
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
|
|
|
|
|
+#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
|
|
|
|
|
/*
|
|
|
|
|
*
|
|
|
|
|
* XXX we should ONLY update pluto if the SA passes all checks,
|
|
|
|
|
@@ -1638,7 +1638,7 @@
|
|
|
|
|
}
|
|
|
|
|
#endif /* CONFIG_KLIPS_IPCOMP */
|
|
|
|
|
|
|
|
|
|
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
|
|
|
|
|
+#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
|
|
|
|
|
if ((irs->natt_type) && (ipp->protocol != IPPROTO_IPIP)) {
|
|
|
|
|
/**
|
|
|
|
|
* NAT-Traversal and Transport Mode:
|
|
|
|
|
@@ -1943,7 +1943,116 @@
|
|
|
|
|
*/
|
|
|
|
|
int klips26_udp_encap_rcv(struct sock *sk, struct sk_buff *skb)
|
|
|
|
|
{
|
|
|
|
|
- return klips26_rcv_encap(skb, udp_sk(sk)->encap_type);
|
|
|
|
|
+ struct udp_sock *up = udp_sk(sk);
|
|
|
|
|
+ struct udphdr *uh;
|
|
|
|
|
+ struct iphdr *iph;
|
|
|
|
|
+ int iphlen, len;
|
|
|
|
|
+ int ret;
|
|
|
|
|
+
|
|
|
|
|
+ __u8 *udpdata;
|
|
|
|
|
+ __be32 *udpdata32;
|
|
|
|
|
+ __u16 encap_type = up->encap_type;
|
|
|
|
|
+
|
|
|
|
|
+ /* if this is not encapsulated socket, then just return now */
|
|
|
|
|
+ if (!encap_type)
|
|
|
|
|
+ return 1;
|
|
|
|
|
+
|
|
|
|
|
+ /* If this is a paged skb, make sure we pull up
|
|
|
|
|
+ * whatever data we need to look at. */
|
|
|
|
|
+ len = skb->len - sizeof(struct udphdr);
|
|
|
|
|
+ if (!pskb_may_pull(skb, sizeof(struct udphdr) + min(len, 8)))
|
|
|
|
|
+ return 1;
|
|
|
|
|
+
|
|
|
|
|
+ /* Now we can get the pointers */
|
|
|
|
|
+ uh = udp_hdr(skb);
|
|
|
|
|
+ udpdata = (__u8 *)uh + sizeof(struct udphdr);
|
|
|
|
|
+ udpdata32 = (__be32 *)udpdata;
|
|
|
|
|
+
|
|
|
|
|
+ switch (encap_type) {
|
|
|
|
|
+ default:
|
|
|
|
|
+ case UDP_ENCAP_ESPINUDP:
|
|
|
|
|
+ /* Check if this is a keepalive packet. If so, eat it. */
|
|
|
|
|
+ if (len == 1 && udpdata[0] == 0xff) {
|
|
|
|
|
+ KLIPS_PRINT(debug_rcv,
|
|
|
|
|
+ "UDP_ENCAP_ESPINUDP: keepalive packet detected\n");
|
|
|
|
|
+ goto drop;
|
|
|
|
|
+ } else if (len > sizeof(struct ip_esp_hdr) && udpdata32[0] != 0) {
|
|
|
|
|
+ KLIPS_PRINT(debug_rcv,
|
|
|
|
|
+ "UDP_ENCAP_ESPINUDP: ESP IN UDP packet detected\n");
|
|
|
|
|
+ /* ESP Packet without Non-ESP header */
|
|
|
|
|
+ len = sizeof(struct udphdr);
|
|
|
|
|
+ } else {
|
|
|
|
|
+ /* Must be an IKE packet.. pass it through */
|
|
|
|
|
+ KLIPS_PRINT(debug_rcv,
|
|
|
|
|
+ "UDP_ENCAP_ESPINUDP: IKE packet detected\n");
|
|
|
|
|
+ return 1;
|
|
|
|
|
+ }
|
|
|
|
|
+ break;
|
|
|
|
|
+ case UDP_ENCAP_ESPINUDP_NON_IKE:
|
|
|
|
|
+ KLIPS_PRINT(debug_rcv,
|
|
|
|
|
+ "UDP_ENCAP_ESPINUDP_NON_IKE: %d\n",
|
|
|
|
|
+ udpdata32[0]);
|
|
|
|
|
+ /* Check if this is a keepalive packet. If so, eat it. */
|
|
|
|
|
+ if (len == 1 && udpdata[0] == 0xff) {
|
|
|
|
|
+ KLIPS_PRINT(debug_rcv,
|
|
|
|
|
+ "UDP_ENCAP_ESPINUDP_NON_IKE: keepalive packet detected\n");
|
|
|
|
|
+ goto drop;
|
|
|
|
|
+ } else if (len > 2 * sizeof(u32) + sizeof(struct ip_esp_hdr) &&
|
|
|
|
|
+ udpdata32[0] == 0 && udpdata32[1] == 0) {
|
|
|
|
|
+ KLIPS_PRINT(debug_rcv,
|
|
|
|
|
+ "UDP_ENCAP_ESPINUDP_NON_IKE: ESP IN UDP NON IKE packet detected\n");
|
|
|
|
|
+ /* ESP Packet with Non-IKE marker */
|
|
|
|
|
+ len = sizeof(struct udphdr) + 2 * sizeof(u32);
|
|
|
|
|
+ } else {
|
|
|
|
|
+ /* Must be an IKE packet.. pass it through */
|
|
|
|
|
+ KLIPS_PRINT(debug_rcv,
|
|
|
|
|
+ "UDP_ENCAP_ESPINUDP_NON_IKE: IKE packet detected\n");
|
|
|
|
|
+ return 1;
|
|
|
|
|
+ }
|
|
|
|
|
+ break;
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ /* At this point we are sure that this is an ESPinUDP packet,
|
|
|
|
|
+ * so we need to remove 'len' bytes from the packet (the UDP
|
|
|
|
|
+ * header and optional ESP marker bytes) and then modify the
|
|
|
|
|
+ * protocol to ESP, and then call into the transform receiver.
|
|
|
|
|
+ */
|
|
|
|
|
+ if (skb_cloned(skb) && pskb_expand_head(skb, 0, 0, GFP_ATOMIC)) {
|
|
|
|
|
+ KLIPS_PRINT(debug_rcv,
|
|
|
|
|
+ "clone or expand problem\n");
|
|
|
|
|
+ goto drop;
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ /* Now we can update and verify the packet length... */
|
|
|
|
|
+ iph = ip_hdr(skb);
|
|
|
|
|
+ iphlen = iph->ihl << 2;
|
|
|
|
|
+ iph->tot_len = htons(ntohs(iph->tot_len) - len);
|
|
|
|
|
+ if (skb->len < iphlen + len) {
|
|
|
|
|
+ /* packet is too small!?! */
|
|
|
|
|
+ KLIPS_PRINT(debug_rcv,
|
|
|
|
|
+ "packet too small\n");
|
|
|
|
|
+ goto drop;
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ /* pull the data buffer up to the ESP header and set the
|
|
|
|
|
+ * transport header to point to ESP. Keep UDP on the stack
|
|
|
|
|
+ * for later.
|
|
|
|
|
+ */
|
|
|
|
|
+ __skb_pull(skb, len);
|
|
|
|
|
+ skb_reset_transport_header(skb);
|
|
|
|
|
+
|
|
|
|
|
+ /* modify the protocol (it's ESP!) */
|
|
|
|
|
+ iph->protocol = IPPROTO_ESP;
|
|
|
|
|
+
|
|
|
|
|
+ /* process ESP */
|
|
|
|
|
+ KLIPS_PRINT(debug_rcv,
|
|
|
|
|
+ "starting processing ESP packet\n");
|
|
|
|
|
+ ret = klips26_rcv_encap(skb, encap_type);
|
|
|
|
|
+ return ret;
|
|
|
|
|
+
|
|
|
|
|
+drop:
|
|
|
|
|
+ kfree_skb(skb);
|
|
|
|
|
+ return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int klips26_rcv_encap(struct sk_buff *skb, __u16 encap_type)
|
|
|
|
|
@@ -2011,7 +2120,7 @@
|
|
|
|
|
|
|
|
|
|
irs->hard_header_len = skb->dev->hard_header_len;
|
|
|
|
|
|
|
|
|
|
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
|
|
|
|
|
+#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
|
|
|
|
|
switch(encap_type) {
|
|
|
|
|
case UDP_ENCAP_ESPINUDP:
|
|
|
|
|
irs->natt_type = ESPINUDP_WITH_NON_ESP;
|
|
|
|
|
@@ -2143,7 +2252,7 @@
|
|
|
|
|
irs->said.proto = 0;
|
|
|
|
|
|
|
|
|
|
irs->hard_header_len = 0;
|
|
|
|
|
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
|
|
|
|
|
+#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
|
|
|
|
|
irs->natt_type = 0;
|
|
|
|
|
irs->natt_len = 0;
|
|
|
|
|
#endif
|
|
|
|
|
diff -Naur openswan-2.6.20.org/linux/net/ipsec/ipsec_sa.c openswan-2.6.20/linux/net/ipsec/ipsec_sa.c
|
|
|
|
|
--- openswan-2.6.20.org/linux/net/ipsec/ipsec_sa.c 2009-02-10 05:54:47.000000000 +0100
|
|
|
|
|
+++ openswan-2.6.20/linux/net/ipsec/ipsec_sa.c 2009-03-14 22:36:22.000000000 +0100
|
|
|
|
|
@@ -1011,7 +1011,7 @@
|
|
|
|
|
}
|
|
|
|
|
ips->ips_addr_p = NULL;
|
|
|
|
|
|
|
|
|
|
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
|
|
|
|
|
+#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
|
|
|
|
|
if(ips->ips_natt_oa) {
|
|
|
|
|
memset((caddr_t)(ips->ips_natt_oa), 0, ips->ips_natt_oa_size);
|
|
|
|
|
kfree(ips->ips_natt_oa);
|
|
|
|
|
diff -Naur openswan-2.6.20.org/linux/net/ipsec/ipsec_tunnel.c openswan-2.6.20/linux/net/ipsec/ipsec_tunnel.c
|
|
|
|
|
--- openswan-2.6.20.org/linux/net/ipsec/ipsec_tunnel.c 2009-02-10 05:54:47.000000000 +0100
|
|
|
|
|
+++ openswan-2.6.20/linux/net/ipsec/ipsec_tunnel.c 2009-03-14 22:36:22.000000000 +0100
|
|
|
|
|
@@ -99,6 +99,11 @@
|
|
|
|
|
#include <linux/udp.h>
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
+#ifdef HAVE_UDP_ENCAP_CONVERT
|
|
|
|
|
+#include <linux/file.h>
|
|
|
|
|
+#include "openswan/ipsec_rcv.h"
|
|
|
|
|
+#endif
|
|
|
|
|
+
|
|
|
|
|
static __u32 zeroes[64];
|
|
|
|
|
|
|
|
|
|
DEBUG_NO_STATIC int
|
|
|
|
|
@@ -571,7 +576,7 @@
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
|
|
|
|
|
+#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
|
|
|
|
|
stat = ipsec_nat_encap(ixs);
|
|
|
|
|
if(stat != IPSEC_XMIT_OK) {
|
|
|
|
|
goto cleanup;
|
|
|
|
|
@@ -1403,19 +1408,27 @@
|
|
|
|
|
|
|
|
|
|
#ifdef HAVE_UDP_ENCAP_CONVERT
|
|
|
|
|
case IPSEC_UDP_ENCAP_CONVERT:
|
|
|
|
|
- {
|
|
|
|
|
- unsigned int *socknum =(unsigned int *)&ifr->ifr_data;
|
|
|
|
|
+ {
|
|
|
|
|
+ struct nattraversalconf *nf = (struct nattraversalconf *)&ifr->ifr_data;
|
|
|
|
|
+ unsigned int socknum = nf->cf_fd;
|
|
|
|
|
+ unsigned int encaptype = nf->cf_type;
|
|
|
|
|
struct socket *sock;
|
|
|
|
|
+ struct sock *sk;
|
|
|
|
|
int err, fput_needed;
|
|
|
|
|
|
|
|
|
|
/* that's a static function in socket.c
|
|
|
|
|
* sock = sockfd_lookup_light(*socknum, &err, &fput_needed); */
|
|
|
|
|
- sock = sockfd_lookup(*socknum, &err);
|
|
|
|
|
+ sock = sockfd_lookup(socknum, &err);
|
|
|
|
|
+ KLIPS_PRINT(debug_tunnel
|
|
|
|
|
+ , "socknum: %u, err: %d\n"
|
|
|
|
|
+ , socknum, err);
|
|
|
|
|
if (!sock)
|
|
|
|
|
goto encap_out;
|
|
|
|
|
|
|
|
|
|
+ sk = sock->sk;
|
|
|
|
|
+
|
|
|
|
|
/* check that it's a UDP socket */
|
|
|
|
|
- udp_sk(sk)->encap_type = UDP_ENCAP_ESPINUDP_NON_IKE;
|
|
|
|
|
+ udp_sk(sk)->encap_type = encaptype;
|
|
|
|
|
udp_sk(sk)->encap_rcv = klips26_udp_encap_rcv;
|
|
|
|
|
|
|
|
|
|
KLIPS_PRINT(debug_tunnel
|
|
|
|
|
@@ -1976,7 +1989,7 @@
|
|
|
|
|
ixs->ips.ips_ident_s.data = NULL;
|
|
|
|
|
ixs->ips.ips_ident_d.data = NULL;
|
|
|
|
|
ixs->outgoing_said.proto = 0;
|
|
|
|
|
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
|
|
|
|
|
+#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
|
|
|
|
|
ixs->natt_type = 0, ixs->natt_head = 0;
|
|
|
|
|
ixs->natt_sport = 0, ixs->natt_dport = 0;
|
|
|
|
|
#endif
|
|
|
|
|
diff -Naur openswan-2.6.20.org/linux/net/ipsec/ipsec_xmit.c openswan-2.6.20/linux/net/ipsec/ipsec_xmit.c
|
|
|
|
|
--- openswan-2.6.20.org/linux/net/ipsec/ipsec_xmit.c 2009-02-10 05:54:47.000000000 +0100
|
|
|
|
|
+++ openswan-2.6.20/linux/net/ipsec/ipsec_xmit.c 2009-03-14 22:36:22.000000000 +0100
|
|
|
|
|
@@ -1597,7 +1597,7 @@
|
|
|
|
|
ixs->tailroom += ixs->blocksize != 1 ?
|
|
|
|
|
((ixs->blocksize - ((ixs->pyldsz + 2) % ixs->blocksize)) % ixs->blocksize) + 2 :
|
|
|
|
|
((4 - ((ixs->pyldsz + 2) % 4)) % 4) + 2;
|
|
|
|
|
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
|
|
|
|
|
+#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
|
|
|
|
|
if ((ixs->ipsp->ips_natt_type) && (!ixs->natt_type)) {
|
|
|
|
|
ixs->natt_type = ixs->ipsp->ips_natt_type;
|
|
|
|
|
ixs->natt_sport = ixs->ipsp->ips_natt_sport;
|
|
|
|
|
@@ -1762,7 +1762,7 @@
|
|
|
|
|
}
|
|
|
|
|
#endif /* MSS_HACK */
|
|
|
|
|
|
|
|
|
|
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
|
|
|
|
|
+#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
|
|
|
|
|
if ((ixs->natt_type) && (ixs->outgoing_said.proto != IPPROTO_IPIP)) {
|
|
|
|
|
/**
|
|
|
|
|
* NAT-Traversal and Transport Mode:
|
|
|
|
|
@@ -1929,7 +1929,7 @@
|
|
|
|
|
}
|
|
|
|
|
#endif /* NETDEV_23 */
|
|
|
|
|
|
|
|
|
|
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
|
|
|
|
|
+#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
|
|
|
|
|
enum ipsec_xmit_value ipsec_nat_encap(struct ipsec_xmit_state *ixs)
|
|
|
|
|
{
|
|
|
|
|
if (ixs->natt_type && ixs->natt_head) {
|
|
|
|
|
diff -Naur openswan-2.6.20.org/linux/net/ipsec/pfkey_v2_ext_process.c openswan-2.6.20/linux/net/ipsec/pfkey_v2_ext_process.c
|
|
|
|
|
--- openswan-2.6.20.org/linux/net/ipsec/pfkey_v2_ext_process.c 2009-02-10 05:54:47.000000000 +0100
|
|
|
|
|
+++ openswan-2.6.20/linux/net/ipsec/pfkey_v2_ext_process.c 2009-03-14 22:36:22.000000000 +0100
|
|
|
|
|
@@ -716,7 +716,7 @@
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
|
|
|
|
|
+#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
|
|
|
|
|
int
|
|
|
|
|
pfkey_x_nat_t_type_process(struct sadb_ext *pfkey_ext, struct pfkey_extracted_data* extr)
|
|
|
|
|
{
|
|
|
|
|
diff -Naur openswan-2.6.20.org/linux/net/ipsec/pfkey_v2_parser.c openswan-2.6.20/linux/net/ipsec/pfkey_v2_parser.c
|
|
|
|
|
--- openswan-2.6.20.org/linux/net/ipsec/pfkey_v2_parser.c 2009-02-10 05:54:47.000000000 +0100
|
|
|
|
|
+++ openswan-2.6.20/linux/net/ipsec/pfkey_v2_parser.c 2009-03-14 22:36:22.000000000 +0100
|
|
|
|
|
@@ -405,7 +405,7 @@
|
|
|
|
|
struct sadb_msg *pfkey_reply = NULL;
|
|
|
|
|
struct socket_list *pfkey_socketsp;
|
|
|
|
|
uint8_t satype = ((struct sadb_msg*)extensions[K_SADB_EXT_RESERVED])->sadb_msg_satype;
|
|
|
|
|
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
|
|
|
|
|
+#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
|
|
|
|
|
struct ipsec_sa *nat_t_ips_saved = NULL;
|
|
|
|
|
#endif
|
|
|
|
|
KLIPS_PRINT(debug_pfkey,
|
|
|
|
|
@@ -453,7 +453,7 @@
|
|
|
|
|
sa_len ? sa : " (error)",
|
|
|
|
|
extr->ips->ips_flags & EMT_INBOUND ? "in" : "out");
|
|
|
|
|
|
|
|
|
|
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
|
|
|
|
|
+#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
|
|
|
|
|
if (extr->ips->ips_natt_sport || extr->ips->ips_natt_dport) {
|
|
|
|
|
KLIPS_PRINT(debug_pfkey,
|
|
|
|
|
"klips_debug:pfkey_update_parse: only updating NAT-T ports "
|
|
|
|
|
@@ -622,7 +622,7 @@
|
|
|
|
|
pfkey_socketsp->socketp);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
|
|
|
|
|
+#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
|
|
|
|
|
if (nat_t_ips_saved) {
|
|
|
|
|
/**
|
|
|
|
|
* As we _really_ update existing SA, we keep tdbq and need to delete
|
|
|
|
|
@@ -2547,7 +2547,7 @@
|
|
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
|
|
|
|
|
+#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
|
|
|
|
|
int
|
|
|
|
|
pfkey_nat_t_new_mapping(struct ipsec_sa *ipsp, struct sockaddr *ipaddr,
|
|
|
|
|
__u16 sport)
|
|
|
|
|
@@ -2707,7 +2707,7 @@
|
|
|
|
|
pfkey_address_process,
|
|
|
|
|
pfkey_x_debug_process,
|
|
|
|
|
pfkey_x_protocol_process,
|
|
|
|
|
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
|
|
|
|
|
+#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
|
|
|
|
|
pfkey_x_nat_t_type_process,
|
|
|
|
|
pfkey_x_nat_t_port_process,
|
|
|
|
|
pfkey_x_nat_t_port_process,
|
|
|
|
|
@@ -2812,7 +2812,7 @@
|
|
|
|
|
pfkey_x_addflow_parse,
|
|
|
|
|
pfkey_x_delflow_parse,
|
|
|
|
|
pfkey_x_msg_debug_parse,
|
|
|
|
|
-#ifdef CONFIG_IPSEC_NAT_TRAVERSAL
|
|
|
|
|
+#if defined(CONFIG_IPSEC_NAT_TRAVERSAL) || defined(HAVE_UDP_ENCAP_CONVERT)
|
|
|
|
|
pfkey_x_nat_t_new_mapping_parse,
|
|
|
|
|
#else
|
|
|
|
|
NULL,
|
|
|
|
|
diff -Naur openswan-2.6.20.org/programs/pluto/nat_traversal.c openswan-2.6.20/programs/pluto/nat_traversal.c
|
|
|
|
|
--- openswan-2.6.20.org/programs/pluto/nat_traversal.c 2009-02-10 05:54:47.000000000 +0100
|
|
|
|
|
+++ openswan-2.6.20/programs/pluto/nat_traversal.c 2009-03-14 22:36:22.000000000 +0100
|
|
|
|
|
@@ -24,11 +24,15 @@
|
|
|
|
|
#include <string.h>
|
|
|
|
|
#include <unistd.h>
|
|
|
|
|
#include <signal.h> /* used only if MSG_NOSIGNAL not defined */
|
|
|
|
|
+#include <sys/ioctl.h>
|
|
|
|
|
+#include <net/if.h>
|
|
|
|
|
|
|
|
|
|
#include <openswan.h>
|
|
|
|
|
#include <openswan/ipsec_policy.h>
|
|
|
|
|
#include <openswan/pfkeyv2.h>
|
|
|
|
|
#include <openswan/pfkey.h>
|
|
|
|
|
+#include <openswan/ipsec_param.h>
|
|
|
|
|
+#include <openswan/ipsec_tunnel.h>
|
|
|
|
|
|
|
|
|
|
#include "sysdep.h"
|
|
|
|
|
#include "constants.h"
|
|
|
|
|
@@ -68,6 +72,8 @@
|
|
|
|
|
|
|
|
|
|
#define DEFAULT_KEEP_ALIVE_PERIOD 20
|
|
|
|
|
|
|
|
|
|
+static unsigned int nat_traversal_type = 0;
|
|
|
|
|
+
|
|
|
|
|
bool nat_traversal_enabled = FALSE;
|
|
|
|
|
bool nat_traversal_support_non_ike = FALSE;
|
|
|
|
|
bool nat_traversal_support_port_floating = FALSE;
|
|
|
|
|
@@ -101,6 +107,10 @@
|
|
|
|
|
nat_traversal_support_port_floating=FALSE;
|
|
|
|
|
openswan_log(" KLIPS does not have NAT-Traversal built in (see /proc/net/ipsec/natt)\n");
|
|
|
|
|
}
|
|
|
|
|
+ else {
|
|
|
|
|
+ nat_traversal_type = atoi(&n);
|
|
|
|
|
+ openswan_log(" KLIPS using NAT-Traversal Method %c\n", n);
|
|
|
|
|
+ }
|
|
|
|
|
fclose(f);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
@@ -667,7 +677,22 @@
|
|
|
|
|
int nat_traversal_espinudp_socket (int sk, const char *fam, u_int32_t type)
|
|
|
|
|
{
|
|
|
|
|
int r;
|
|
|
|
|
- r = setsockopt(sk, SOL_UDP, UDP_ESPINUDP, &type, sizeof(type));
|
|
|
|
|
+ if (nat_traversal_type == NAT_OLD_STYLE) {
|
|
|
|
|
+ loglog(RC_LOG_SERIOUS,
|
|
|
|
|
+ "NAT-Traversal: Trying old style NAT-T");
|
|
|
|
|
+ r = setsockopt(sk, SOL_UDP, UDP_ESPINUDP, &type, sizeof(type));
|
|
|
|
|
+ }
|
|
|
|
|
+ if (nat_traversal_type == NAT_NEW_STYLE) {
|
|
|
|
|
+ loglog(RC_LOG_SERIOUS,
|
|
|
|
|
+ "NAT-Traversal: Trying new style NAT-T");
|
|
|
|
|
+ struct ifreq ifr;
|
|
|
|
|
+ struct nattraversalconf *ntc=(struct nattraversalconf *)&ifr.ifr_data;
|
|
|
|
|
+ memset(&ifr, 0, sizeof(ifr));
|
|
|
|
|
+ strcpy(ifr.ifr_name, "ipsec0");
|
|
|
|
|
+ ntc->cf_fd = sk;
|
|
|
|
|
+ ntc->cf_type = type;
|
|
|
|
|
+ r = ioctl(sk, IPSEC_UDP_ENCAP_CONVERT, &ifr);
|
|
|
|
|
+ }
|
|
|
|
|
if ((r<0) && (errno == ENOPROTOOPT)) {
|
|
|
|
|
loglog(RC_LOG_SERIOUS,
|
|
|
|
|
"NAT-Traversal: ESPINUDP(%d) not supported by kernel for family %s"
|
Ben Schweikert