FreeBSD NAT-T patch integration [CFR/CFT]
Matthew Grooms
mgrooms at shrew.net
Tue Jul 22 00:03:24 UTC 2008
> > I noticed this too. But the only situation that I could think of where a
> > valid ISAKMP packet will be smaller than this is a NAT-T keep-alive.
> > These are handled previously in the code path so I don't think there is
> > an issue from a functional standpoint.
>
> That's what I also supposed when I noticed that, but I was tracking
> down a negotiation problem (as an initiator, responder's first
> exchange in Main mode was seen on tcpdump but not on racoon's log),
> and it has been solved by fixing that part of the code....
>
Sounds reasonable.
> > On a related note, I noticed the patch unconditionally uses a source
> > port of 500 when processing outbound Draft 00/01 packets. Should this
> > value be obtained from the SAD NAT-T mapping to support an IKE daemon
> > bound to a non standard port?
>
> It should really really not happen..... but yes, it would be cleaner
> to get it from SAD than setting 500 anytime.
>
Well, its really really supported by all the IKE daemons I have seen in
the ports collection. Someone is bound to try this and then spend a lot
of time scratching their head. If this situation can be easily avoided,
it should be.
-Matthew
More information about the freebsd-net
mailing list