svn commit: r496938 - in head/security/ipsec-tools: . files
Eugene Grosbein
eugen at FreeBSD.org
Wed Mar 27 08:56:38 UTC 2019
Author: eugen
Date: Wed Mar 27 08:56:35 2019
New Revision: 496938
URL: https://svnweb.freebsd.org/changeset/ports/496938
Log:
security/ipsec-tools: small correction NATT patch
This change fixes rare case for "site to site" IPSec tunnel mode
when remote peer is behind NAT and has its own LAN behind.
Now this works too (previously NATT worked only for single host behind NAT).
Modified:
head/security/ipsec-tools/Makefile
head/security/ipsec-tools/files/natt.diff
Modified: head/security/ipsec-tools/Makefile
==============================================================================
--- head/security/ipsec-tools/Makefile Wed Mar 27 08:36:30 2019 (r496937)
+++ head/security/ipsec-tools/Makefile Wed Mar 27 08:56:35 2019 (r496938)
@@ -8,7 +8,7 @@
PORTNAME= ipsec-tools
PORTVERSION= 0.8.2
-PORTREVISION= 7
+PORTREVISION= 8
CATEGORIES= security
MASTER_SITES= SF
Modified: head/security/ipsec-tools/files/natt.diff
==============================================================================
--- head/security/ipsec-tools/files/natt.diff Wed Mar 27 08:36:30 2019 (r496937)
+++ head/security/ipsec-tools/files/natt.diff Wed Mar 27 08:56:35 2019 (r496938)
@@ -82,12 +82,14 @@
return pfkey_send_add2(&psaa);
--- src/racoon/isakmp_quick.c
+++ src/racoon/isakmp_quick.c
-@@ -2390,6 +2390,32 @@ get_proposal_r(iph2)
+@@ -2390,6 +2390,34 @@
spidx.src.ss_family, spidx.dst.ss_family,
_XIDT(iph2->id_p),idi2type);
}
+#ifdef ENABLE_NATT
-+ if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) {
++ if (iph2->ph1->natt_flags & NAT_DETECTED_PEER
++ && _XIDT(iph2->id) != IPSECDOI_ID_IPV4_ADDR_SUBNET
++ && _XIDT(iph2->id) != IPSECDOI_ID_IPV6_ADDR_SUBNET) {
+ u_int16_t port;
+
+ port = extract_port(&spidx.src);
More information about the svn-ports-all
mailing list