[prev in list] [next in list] [prev in thread] [next in thread]
List: ipsec-tools-devel
Subject: Re: [Ipsec-tools-devel] Problem with racoon version 0.8.1
From: Jaco Kroon <jaco () uls ! co ! za>
Date: 2013-11-22 9:23:35
Message-ID: 528F2297.7020902 () uls ! co ! za
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
I reported a similar (or the same) issue previously on the list, I just
rolled back to 0.8.0. Oddly enough, I also included information on
0.8.1 + 0.8.0 - in this case it sometimes work - depending on who the
initiator and who the responder is. Can't remember the details at the
moment.
Kind Regards,
Jaco Kroon
On 21/11/2013 18:33, John Williams wrote:
> Hello,
>
> I posted this on the ipsec-tools-users list, and they sent me here
> instead...
>
> I'm following the instructions in chapter 7 of the "Linux advanced
> routing and traffic control howto", to set up a TCP connection
> protected by IPsec. Not a VPN, and no NAT involved; just two machines
> on a LAN.
>
> With ipsec-tools 0.8.0 everything works fine, but with version 0.8.1
> on one of the servers, racoon fails to establish a security
> association, and nothing works.
>
> I've traced the problem to this change between 0.8.0 and 0.8.1:
>
> --- ipsec-tools-0.8.0/src/racoon/isakmp.c
> +++ ipsec-tools-0.8.1/src/racoon/isakmp.c
> @@ -2943,7 +2943,7 @@
> port = myaddr_getsport(iph1->local);
> if (port == 0)
> port = PORT_ISAKMP;
> - set_port(iph1->local, PORT_ISAKMP);
> + set_port(iph1->local, port);
> }
>
> #ifdef ENABLE_NATT
>
> If I reverse this change, it starts working. I notice that
> myaddr_setsport() is returning 4500, whereas PORT_ISAKMP has the value
> 500. Any idea what has gone wrong?
>
> racoon is compiled with NAT-traversal enabled (I'm using the package
> from Arch Linux), but "nat_traversal" is not turned on in the
> racoon.conf file, which is just as in the "howto" except for the
> obvious change to the IP addresses.
>
> John
>
> ------------------------------------------------------------------------------
> Shape the Mobile Experience: Free Subscription
> Software experts and developers: Be at the forefront of tech innovation.
> Intel(R) Software Adrenaline delivers strategic insight and game-changing
> conversations that shape the rapidly evolving mobile landscape. Sign up now.
> http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
> _______________________________________________
> Ipsec-tools-devel mailing list
> Ipsec-tools-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
[Attachment #5 (multipart/related)]
[Attachment #7 (text/html)]
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix"><font face="Helvetica, Arial,
sans-serif">I reported a similar (or the same) issue previously
on the list, I just rolled back to 0.8.0. Oddly enough, I also
included information on 0.8.1 + 0.8.0 - in this case it
sometimes work - depending on who the initiator and who the
responder is. Can't remember the details at the moment.<br>
<br>
</font>
<div class="moz-signature">Kind Regards,<br>
Jaco Kroon<br>
<img src="cid:part1.04030204.01080805@uls.co.za" usemap="#Map"
style="color:white" border="0" width="530" height="100">
<map name="Map" id="Map">
<area shape="rect" coords="441,19,460,36"
href="https://www.facebook.com/ultimatelinuxsolutions">
<area shape="rect" coords="441,39,458,57"
href="http://news.uls.co.za/">
<area shape="rect" coords="354,62,461,73"
href="http://www.uls.co.za/">
</map>
</div>
On 21/11/2013 18:33, John Williams wrote:<br>
</div>
<blockquote cite="mid:20131121163346.22186fda@johnw.datafit.co.uk"
type="cite">
<pre wrap="">Hello,
I posted this on the ipsec-tools-users list, and they sent me here
instead...
I'm following the instructions in chapter 7 of the "Linux advanced
routing and traffic control howto", to set up a TCP connection
protected by IPsec. Not a VPN, and no NAT involved; just two machines
on a LAN.
With ipsec-tools 0.8.0 everything works fine, but with version 0.8.1
on one of the servers, racoon fails to establish a security
association, and nothing works.
I've traced the problem to this change between 0.8.0 and 0.8.1:
--- ipsec-tools-0.8.0/src/racoon/isakmp.c
+++ ipsec-tools-0.8.1/src/racoon/isakmp.c
@@ -2943,7 +2943,7 @@
port = myaddr_getsport(iph1->local);
if (port == 0)
port = PORT_ISAKMP;
- set_port(iph1->local, PORT_ISAKMP);
+ set_port(iph1->local, port);
}
#ifdef ENABLE_NATT
If I reverse this change, it starts working. I notice that
myaddr_setsport() is returning 4500, whereas PORT_ISAKMP has the value
500. Any idea what has gone wrong?
racoon is compiled with NAT-traversal enabled (I'm using the package
from Arch Linux), but "nat_traversal" is not turned on in the
racoon.conf file, which is just as in the "howto" except for the
obvious change to the IP addresses.
John
------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up now.
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
_______________________________________________
Ipsec-tools-devel mailing list
Ipsec-tools-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
</pre>
</blockquote>
<br>
</body>
</html>
[".eml_jaco.png" (image/png)]
["jaco.vcf" (text/x-vcard)]
------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing
conversations that shape the rapidly evolving mobile landscape. Sign up now.
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk
_______________________________________________
Ipsec-tools-devel mailing list
Ipsec-tools-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipsec-tools-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic