[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipsec-tools-devel
Subject:    Re: [Ipsec-tools-devel] patch supporting individual natt ports for
From:       "Wolfgang Schmieder" <wolfgang () die-schmieders ! de>
Date:       2011-11-23 5:51:22
Message-ID: 5D5E662965074D0687E67DE40521AF08 () Avitos
[Download RAW message or body]

Timo,

please find attached Version 2 of my 'individual natt port' patch. 

I was unsure if I could disclaim the individual natt port feature and now
finally came to the conclusion that I need it, and it could makes sense for
anybody else as well. I will need it especially for the configuration
proposal which you gave me to address multiple vpn gateways behind a natt
router. I will come to this in a separate email.

Version 1 of this patch was very confusing, because I tried to prepare
already my succeeding 'destination' patch. I could drop my 'destination'
approach based on your feedback, and my revised V2 of my 'individual natt
port' approach could be streamlined dramatically; everything is straight
forward now. The syntax could be simplified as well and the man page is also
updated accordingly.

This is the Syntax extension:
========================================
remote address [[port]] { 
...
	nat_traversal [[port]] (on|off|force);
...
}

The patch is based on my previous patch p4b-p4a_anonymous_port.patch. It
particularly requires the ike_port_natt extension
from my V2_p4a-p3b_default_natt_port_in_listen_block.patch.


Thanks and Regards
	Wolfgang

P.S.: Sorry for giving you so much work.

-----Ursprüngliche Nachricht-----
Von: Timo Teräs [mailto:timo.teras@gmail.com] Im Auftrag von Timo Teräs
Gesendet: Samstag, 12. November 2011 13:33
An: Wolfgang Schmieder
Cc: ipsec-tools-devel@lists.sourceforge.net
Betreff: Re: [Ipsec-tools-devel] patch supporting individual natt ports for
each remote connection

Hi,

On 11/07/2011 10:17 PM, Wolfgang Schmieder wrote:
> please find attached a patch which will allow to specify individual natt
> ports for each remote connection in the racoon configuration file. The
patch
> is based on a CVS trunk snapshot from yesterday evening:
> anoncvs@anoncvs.netbsd.org:/cvsroot at 2011-11-06 22:00h MEZ plus my
> previous patch p2-p1_memory_leak_fixes_parser.patch.tar.bz2.
> 
> 
> The configuration file syntax examples are as follows:
> remote 199.16.4.17 [501],[4501] { ... # use port 501 and natt port 4501
...
> }
> 
> Alternative syntax:
> remote "remote site" { ...
>     remote_address 199.16.4.17 [501],[4501] ...
> }

I'm slightly confused what this should do. Where the manpage patch that
describes this new feature?

It seems that the general idea is to specify the *remotes* ports, but
this seems to also affect the choice of local ports.

This seems to at least affect the port choices when being initiator for
a connection. Does this also afffect responder mode (that is the
incoming request does not match remote block unless ports match)?

In either case, this seems to be a tricky option, as most NAT gateways
just can go and change your port numbers, which makes this not work
properly. You'd need to have a lot of control over how the NAT box
behaves. In that case it'd probably be just easier to have separate IPs.

In addition of understanding the how this works, and why it's useful, I
also have some implementation details I'm not uncomfortable with. Mostly
to do with the "enum RMCONF_ERR", "rmconf_errinfo_t" and related error
handling. These could be simplified.

- Timo

["V2_p4c-p4b_individual_remote_natt_ports.patch.tar.bz2" (application/octet-stream)]

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure 
contains a definitive record of customers, application performance, 
security threats, fraudulent activity, and more. Splunk takes this 
data and makes sense of it. IT sense. And common sense.
http://p.sf.net/sfu/splunk-novd2d

_______________________________________________
Ipsec-tools-devel mailing list
Ipsec-tools-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel


[prev in list] [next in list] [prev in thread] [next in thread]