svn commit: r496938 - in head/security/ipsec-tools: . files

Eugene Grosbein eugen at FreeBSD.org
Wed Mar 27 08:56:38 UTC 2019


Author: eugen
Date: Wed Mar 27 08:56:35 2019
New Revision: 496938
URL: https://svnweb.freebsd.org/changeset/ports/496938

Log:
  security/ipsec-tools: small correction NATT patch
  
  This change fixes rare case for "site to site" IPSec tunnel mode
  when remote peer is behind NAT and has its own LAN behind.
  Now this works too (previously NATT worked only for single host behind NAT).

Modified:
  head/security/ipsec-tools/Makefile
  head/security/ipsec-tools/files/natt.diff

Modified: head/security/ipsec-tools/Makefile
==============================================================================
--- head/security/ipsec-tools/Makefile	Wed Mar 27 08:36:30 2019	(r496937)
+++ head/security/ipsec-tools/Makefile	Wed Mar 27 08:56:35 2019	(r496938)
@@ -8,7 +8,7 @@
 
 PORTNAME=	ipsec-tools
 PORTVERSION=	0.8.2
-PORTREVISION=	7
+PORTREVISION=	8
 CATEGORIES=	security
 MASTER_SITES=	SF
 

Modified: head/security/ipsec-tools/files/natt.diff
==============================================================================
--- head/security/ipsec-tools/files/natt.diff	Wed Mar 27 08:36:30 2019	(r496937)
+++ head/security/ipsec-tools/files/natt.diff	Wed Mar 27 08:56:35 2019	(r496938)
@@ -82,12 +82,14 @@
  	return pfkey_send_add2(&psaa);
 --- src/racoon/isakmp_quick.c
 +++ src/racoon/isakmp_quick.c
-@@ -2390,6 +2390,32 @@ get_proposal_r(iph2)
+@@ -2390,6 +2390,34 @@
  			     spidx.src.ss_family, spidx.dst.ss_family,
  			     _XIDT(iph2->id_p),idi2type);
  		}
 +#ifdef ENABLE_NATT
-+		if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) {
++		if (iph2->ph1->natt_flags & NAT_DETECTED_PEER
++		    && _XIDT(iph2->id) != IPSECDOI_ID_IPV4_ADDR_SUBNET
++		    && _XIDT(iph2->id) != IPSECDOI_ID_IPV6_ADDR_SUBNET) {
 +			u_int16_t port;
 +
 +			port = extract_port(&spidx.src);


More information about the svn-ports-all mailing list