Subject: NAT-T patch to review
To: None <firstname.lastname@example.org>
From: Emmanuel Dreyfus <email@example.com>
Date: 09/30/2004 17:26:26
I finnally fixed my problems with ESP handling in NAT-T: called from usp_input,
I was sending the mbuf to esp_input, but both udp_input and esp_input free
the mbuf after processing, thus resulting in a double free. Using m_dup
on the mbuf fixed the problem.
Using the patch at the address below and latest racoon from ipsec-tools
(I submitted the patches, it now builds nicely on NetBSD), I have been able to
use the Cisco VPN client from behind a NAT with NetBSD as the VPN server
using hybrid authentication. I was able to reach a machine outside the VPN.
I did not tried ill-setups such as boths VPN end behind a NAT or the VPN
server behind a NAT.
There is one bit missing, with a message from racoon sent through the PF_KEY
socket I never encountered yet: SADB_X_NAT_T_NEW_MAPPING. I still have
to understand in what situation this happens.
Please comment on the patch. I plan to add an ifdef IPSEC_NAT_T and make it
a kernel config option, disabled by default in GENERIC. I think about
committing the missing bit once I'll encounter the problem it should fix.