FreeBSD NAT-T patch integration [CFR/CFT]

Matthew Grooms mgrooms at shrew.net
Tue Jul 22 00:03:24 UTC 2008


> > I noticed this too. But the only situation that I could think of where a
> > valid ISAKMP packet will be smaller than this is a NAT-T keep-alive.
> > These are handled previously in the code path so I don't think there is
> > an issue from a functional standpoint.
>
> That's what I also supposed when I noticed that, but I was tracking
> down a negotiation problem (as an initiator, responder's first
> exchange in Main mode was seen on tcpdump but not on racoon's log),
> and it has been solved by fixing that part of the code....
>

Sounds reasonable.

> > On a related note, I noticed the patch unconditionally uses a source
> > port of 500 when processing outbound Draft 00/01 packets. Should this
> > value be obtained from the SAD NAT-T mapping to support an IKE daemon
> > bound to a non standard port?
> 
> It should really really not happen..... but yes, it would be cleaner
> to get it from SAD than setting 500 anytime.
>

Well, its really really supported by all the IKE daemons I have seen in 
the ports collection. Someone is bound to try this and then spend a lot 
of time scratching their head. If this situation can be easily avoided, 
it should be.

-Matthew


More information about the freebsd-net mailing list