Re: bin/47894: racoon w/NAT-T - pfkey update: wrong ports

To: gnats-bugs%NetBSD.org@localhost, gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost, gergely%egervary.hu@localhost
Subject: Re: bin/47894: racoon w/NAT-T - pfkey update: wrong ports
From: SUENAGA Hiroki <hsuenaga%openbsd.org@localhost>
Date: Fri, 13 Jun 2014 21:13:09 +0900

Hi Gergely, thank you for your report.

(2014/06/06 19:35), Egerváry Gergely wrote:
>  Now I'm testing on NetBSD-6.99.43 (Tue Jun  3 23:27:56 CEST 2014) and
>  still does not work when client is behind NAT, get udp/500 instead of
>  udp/4500:

I think your kernel receive the NAT-T port information correctly.
But your kernel doen't respond to racoon with the received NAT-T
information, so the racoon's log is broken.

Please check your SAD using setkey command:

 # setkey -D

You can find UDP information like:

  10.0.0.1[37905] 10.255.255.1[37905]
          esp-udp mode=transport spi=264954840(0x0fcae3d8) reqid=0(0x00000000)

Soooo sorry, there is a byte-order bug... ntohs(37905) = 4500.
I think there are more BUGs. I will continue to debug, please wait.


Hi Christos, here is my patch. please check.

cvs diff: Diffing netipsec
Index: netipsec/key.c
===================================================================
RCS file: /cvs/cvsroot/src/sys/netipsec/key.c,v
retrieving revision 1.90
diff -u -w -p -r1.90 key.c
--- netipsec/key.c      5 Jun 2014 17:18:19 -0000       1.90
+++ netipsec/key.c      13 Jun 2014 11:54:57 -0000
@@ -5612,11 +5612,14 @@ key_getmsgbuf_x1(struct mbuf *m, const s
                panic("key_getmsgbuf_x1: NULL pointer is passed");

        /* create new sadb_msg to reply. */
-       n = key_gather_mbuf(m, mhp, 1, 9, SADB_EXT_RESERVED,
+       n = key_gather_mbuf(m, mhp, 1, 15, SADB_EXT_RESERVED,
            SADB_EXT_SA, SADB_X_EXT_SA2,
            SADB_EXT_ADDRESS_SRC, SADB_EXT_ADDRESS_DST,
            SADB_EXT_LIFETIME_HARD, SADB_EXT_LIFETIME_SOFT,
-           SADB_EXT_IDENTITY_SRC, SADB_EXT_IDENTITY_DST);
+           SADB_EXT_IDENTITY_SRC, SADB_EXT_IDENTITY_DST,
+           SADB_X_EXT_NAT_T_TYPE, SADB_X_EXT_NAT_T_SPORT,
+           SADB_X_EXT_NAT_T_DPORT, SADB_X_EXT_NAT_T_OAI,
+           SADB_X_EXT_NAT_T_OAR, SADB_X_EXT_NAT_T_FRAG);
        if (!n)
                return NULL;


-- 
SUENAGA Hiroki <hsuenaga%netbsd.org@localhost>
facebook.com/hiroki.suenaga

PGP: 66B3 8939 6758 20BA F243  89EC 557A 8CFB ABA9 5E92

References:
- Re: bin/47894: racoon w/NAT-T - pfkey update: wrong ports
  - From: Egerváry Gergely

Prev by Date: Administrative Notice!!!
Next by Date: Re: bin/47894: racoon w/NAT-T - pfkey update: wrong ports
Previous by Thread: Re: bin/47894: racoon w/NAT-T - pfkey update: wrong ports
Next by Thread: Re: bin/47894: racoon w/NAT-T - pfkey update: wrong ports
Indexes:

Home | Main Index | Thread Index | Old Index