Index: head/security/ipsec-tools/Makefile =================================================================== --- head/security/ipsec-tools/Makefile (revision 496937) +++ head/security/ipsec-tools/Makefile (revision 496938) @@ -1,131 +1,131 @@ # Created by: vanhu # $FreeBSD$ # TODO: - libipsec issue ? # - cleanup... # - SYSCONFDIR # - $LOCALBASE/sbin/setkey Vs /usr/sbin/setkey PORTNAME= ipsec-tools PORTVERSION= 0.8.2 -PORTREVISION= 7 +PORTREVISION= 8 CATEGORIES= security MASTER_SITES= SF MAINTAINER= ports@FreeBSD.org COMMENT= KAME racoon IKE daemon, ipsec-tools version LICENSE= BSD3CLAUSE CONFLICTS= racoon-[0-9]* INSTALL_TARGET= install-strip USES= libtool tar:bzip2 ssl USE_RC_SUBR= racoon GNU_CONFIGURE= yes USE_LDCONFIG= yes CONFIGURE_ARGS= --enable-shared --sysconfdir=${PREFIX}/etc/racoon \ --localstatedir=${STATEDIR:S/\/racoon//} \ --with-pkgversion=freebsd-${PORTVERSION} STATEDIR= /var/db/racoon SUB_LIST+= STATEDIR=${STATEDIR} PLIST_SUB+= STATEDIR=${STATEDIR} OPTIONS_DEFINE= DEBUG IPV6 ADMINPORT STATS DPD NATT NATTF FRAG HYBRID PAM \ RADIUS LDAP GSSAPI SAUNSPEC RC5 IDEA DOCS EXAMPLES WCPSKEY OPTIONS_DEFAULT= ADMINPORT DEBUG DPD NATT FRAG HYBRID WCPSKEY ADMINPORT_DESC= Enable Admin port STATS_DESC= Statistics logging function DPD_DESC= Dead Peer Detection NATT_DESC= NAT-Traversal (kernel-patch required before 11.1) NATTF_DESC= require NAT-Traversal (fail without kernel-patch) FRAG_DESC= IKE fragmentation payload support HYBRID_DESC= Hybrid, Xauth and Mode-cfg support SAUNSPEC_DESC= Unspecified SA mode RC5_DESC= RC5 encryption (patented) IDEA_DESC= IDEA encryption (patented) PAM_DESC= PAM authentication (Xauth server) RADIUS_DESC= Radius authentication (Xauth server) LDAP_DESC= LDAP authentication (Xauth server) WCPSKEY_DESC= Allow wildcard matching for pre-shared keys PORTDOCS= * PORTEXAMPLES= * DEBUG_CONFIGURE_ENABLE= debug IPV6_CONFIGURE_ENABLE= ipv6 ADMINPORT_CONFIGURE_ENABLE=adminport STATS_CONFIGURE_ENABLE= stats DPD_CONFIGURE_ENABLE= dpd NATTF_VARS= NATT=yes NATTF_VARS_OFF= NATT=kernel NATT_CONFIGURE_ON= --enable-natt=${NATT} --enable-natt-versions=rfc NATT_CONFIGURE_OFF= --disable-natt FRAG_CONFIGURE_ENABLE= frag HYBRID_CONFIGURE_ENABLE=hybrid PAM_CONFIGURE_WITH= libpam GSSAPI_USES= iconv GSSAPI_CFLAGS= -I${LOCALBASE}/include GSSAPI_LDFLAGS= -L${LOCALBASE}/lib GSSAPI_CONFIGURE_ENABLE=gssapi RADIUS_CONFIGURE_WITH= libradius LDAP_USE= OPENLDAP=yes LDAP_CONFIGURE_ON= --with-libldap=${LOCALBASE} LDAP_CONFIGURE_OFF= --without-libldap SAUNSPEC_CONFIGURE_ENABLE= samode-unspec RC5_CONFIGURE_ENABLE= rc5 IDEA_CONFIGURE_ENABLE= idea WCPSKEY_EXTRA_PATCHES= ${FILESDIR}/wildcard-psk.diff NATT_EXTRA_PATCHES= ${FILESDIR}/natt.diff .include # Need to be patched for openssl-1.1.1 (default after 1200080) .if ${OPSYS} == FreeBSD . if ${OSVERSION} >= 1200085 && ${SSL_DEFAULT} != openssl BUILD_DEPENDS+= automake>=0:devel/automake . endif .endif post-patch: @${REINPLACE_CMD} -e "s/-Werror//g ; s/-R$$libdir/-Wl,-rpath=$$libdir/g" ${WRKSRC}/configure # Need to be patched for openssl-1.1.1 (default after 1200080) .if ${OPSYS} == FreeBSD . if ${OSVERSION} >= 1200085 && ${SSL_DEFAULT} != openssl post-configure: @${REINPLACE_CMD} -e "s/automake-1.14/automake-1.16/g" ${WRKSRC}/Makefile ${WRKSRC}/*/Makefile \ ${WRKSRC}/*/*/Makefile @${REINPLACE_CMD} -e "s/aclocal-1.14/aclocal-1.16/g" ${WRKSRC}/Makefile ${WRKSRC}/*/Makefile \ ${WRKSRC}/*/*/Makefile . endif .endif post-install: @${MKDIR} ${STAGEDIR}/${PREFIX}/etc/racoon @if [ -z `/sbin/sysctl -a | ${GREP} -q ipsec && ${ECHO_CMD} ipsec` ]; then \ ${ECHO_MSG} "WARNING: IPsec feature is disabled on this host"; \ ${ECHO_MSG} " You must build the kernel if you want to run racoon on the host"; \ fi ; post-install-EXAMPLES-on: @${MKDIR} ${STAGEDIR}/${EXAMPLESDIR} @${RM} ${WRKSRC}/src/racoon/samples/*.in @${CP} -r ${WRKSRC}/src/racoon/samples/* ${STAGEDIR}/${EXAMPLESDIR} post-install-DOCS-on: @${MKDIR} ${STAGEDIR}/${DOCSDIR} ${INSTALL_DATA} ${WRKSRC}/src/racoon/doc/* ${STAGEDIR}/${DOCSDIR} .if ${OPSYS} == FreeBSD . if ${OSVERSION} >= 1200085 && ${SSL_DEFAULT} != openssl EXTRA_PATCHES+= ${FILESDIR}/extra-patch-aclocal.m4 EXTRA_PATCHES+= ${FILESDIR}/extra-patch-ipsec-tools PLIST_FILES+= include/racoon/openssl_compat.h . endif .endif .include Index: head/security/ipsec-tools/files/natt.diff =================================================================== --- head/security/ipsec-tools/files/natt.diff (revision 496937) +++ head/security/ipsec-tools/files/natt.diff (revision 496938) @@ -1,153 +1,155 @@ --- src/libipsec/libpfkey.h +++ src/libipsec/libpfkey.h @@ -85,7 +85,7 @@ struct pfkey_send_sa_args { u_int32_t seq; u_int8_t l_natt_type; u_int16_t l_natt_sport, l_natt_dport; - struct sockaddr *l_natt_oa; + struct sockaddr *l_natt_oai, *l_natt_oar; u_int16_t l_natt_frag; u_int8_t ctxdoi, ctxalg; /* Security context DOI and algorithm */ caddr_t ctxstr; /* Security context string */ --- src/libipsec/pfkey.c +++ src/libipsec/pfkey.c @@ -1335,9 +1335,12 @@ pfkey_send_x1(struct pfkey_send_sa_args len += sizeof(struct sadb_x_nat_t_type); len += sizeof(struct sadb_x_nat_t_port); len += sizeof(struct sadb_x_nat_t_port); - if (sa_parms->l_natt_oa) + if (sa_parms->l_natt_oai) len += sizeof(struct sadb_address) + - PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oa)); + PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oai)); + if (sa_parms->l_natt_oar) + len += sizeof(struct sadb_address) + + PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oar)); #ifdef SADB_X_EXT_NAT_T_FRAG if (sa_parms->l_natt_frag) len += sizeof(struct sadb_x_nat_t_frag); @@ -1452,10 +1455,21 @@ pfkey_send_x1(struct pfkey_send_sa_args return -1; } - if (sa_parms->l_natt_oa) { - p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_NAT_T_OA, - sa_parms->l_natt_oa, - (u_int)PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oa)), + if (sa_parms->l_natt_oai) { + p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_NAT_T_OAI, + sa_parms->l_natt_oai, + (u_int)PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oai)), + IPSEC_ULPROTO_ANY); + if (!p) { + free(newmsg); + return -1; + } + } + + if (sa_parms->l_natt_oar) { + p = pfkey_setsadbaddr(p, ep, SADB_X_EXT_NAT_T_OAR, + sa_parms->l_natt_oar, + (u_int)PFKEY_ALIGN8(sysdep_sa_len(sa_parms->l_natt_oar)), IPSEC_ULPROTO_ANY); if (!p) { free(newmsg); @@ -2034,7 +2048,8 @@ pfkey_align(struct sadb_msg *msg, caddr_ case SADB_X_EXT_NAT_T_TYPE: case SADB_X_EXT_NAT_T_SPORT: case SADB_X_EXT_NAT_T_DPORT: - case SADB_X_EXT_NAT_T_OA: + case SADB_X_EXT_NAT_T_OAI: + case SADB_X_EXT_NAT_T_OAR: #endif #ifdef SADB_X_EXT_TAG case SADB_X_EXT_TAG: @@ -2592,7 +2607,7 @@ pfkey_send_update_nat(int so, u_int saty psaa.l_natt_type = l_natt_type; psaa.l_natt_sport = l_natt_sport; psaa.l_natt_dport = l_natt_dport; - psaa.l_natt_oa = l_natt_oa; + psaa.l_natt_oar = l_natt_oa; psaa.l_natt_frag = l_natt_frag; return pfkey_send_update2(&psaa); @@ -2667,7 +2682,7 @@ pfkey_send_add_nat(int so, u_int satype, psaa.l_natt_type = l_natt_type; psaa.l_natt_sport = l_natt_sport; psaa.l_natt_dport = l_natt_dport; - psaa.l_natt_oa = l_natt_oa; + psaa.l_natt_oai = l_natt_oa; psaa.l_natt_frag = l_natt_frag; return pfkey_send_add2(&psaa); --- src/racoon/isakmp_quick.c +++ src/racoon/isakmp_quick.c -@@ -2390,6 +2390,32 @@ get_proposal_r(iph2) +@@ -2390,6 +2390,34 @@ spidx.src.ss_family, spidx.dst.ss_family, _XIDT(iph2->id_p),idi2type); } +#ifdef ENABLE_NATT -+ if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) { ++ if (iph2->ph1->natt_flags & NAT_DETECTED_PEER ++ && _XIDT(iph2->id) != IPSECDOI_ID_IPV4_ADDR_SUBNET ++ && _XIDT(iph2->id) != IPSECDOI_ID_IPV6_ADDR_SUBNET) { + u_int16_t port; + + port = extract_port(&spidx.src); + memcpy(&spidx.src, iph2->ph1->remote, + sysdep_sa_len(iph2->ph1->remote)); + set_port(&spidx.src, port); + switch (spidx.src.ss_family) { + case AF_INET: + spidx.prefs = sizeof(struct in_addr) << 3; + break; +#ifdef INET6 + case AF_INET6: + spidx.prefs = sizeof(struct in6_addr) << 3; + break; +#endif + default: + spidx.prefs = 0; + break; + } + plog(LLV_DEBUG, LOCATION, + NULL, "use NAT address %s as src\n", + saddr2str((struct sockaddr *)&spidx.src)); + } +#endif } else { plog(LLV_DEBUG, LOCATION, NULL, "get a source address of SP index from Phase 1" --- src/racoon/nattraversal.c +++ src/racoon/nattraversal.c @@ -436,10 +436,7 @@ natt_keepalive_add_ph1 (struct ph1handle { int ret = 0; - /* Should only the NATed host send keepalives? - If yes, add '(iph1->natt_flags & NAT_DETECTED_ME)' - to the following condition. */ - if (iph1->natt_flags & NAT_DETECTED && + if (iph1->natt_flags & NAT_DETECTED_ME && ! (iph1->natt_flags & NAT_KA_QUEUED)) { ret = natt_keepalive_add (iph1->local, iph1->remote); if (ret == 0) --- src/racoon/pfkey.c +++ src/racoon/pfkey.c @@ -1190,7 +1190,10 @@ pk_sendupdate(iph2) sa_args.l_natt_type = iph2->ph1->natt_options->encaps_type; sa_args.l_natt_sport = extract_port(iph2->ph1->remote); sa_args.l_natt_dport = extract_port(iph2->ph1->local); - sa_args.l_natt_oa = iph2->natoa_src; + /* if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) */ + sa_args.l_natt_oai = iph2->natoa_dst; + /* if (iph2->ph1->natt_flags & NAT_DETECTED_ME) */ + sa_args.l_natt_oar = iph2->natoa_src; #ifdef SADB_X_EXT_NAT_T_FRAG sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag; #endif @@ -1477,7 +1480,6 @@ pk_sendadd(iph2) sa_args.l_natt_type = UDP_ENCAP_ESPINUDP; sa_args.l_natt_sport = extract_port(iph2->ph1->local); sa_args.l_natt_dport = extract_port(iph2->ph1->remote); - sa_args.l_natt_oa = iph2->natoa_dst; #ifdef SADB_X_EXT_NAT_T_FRAG sa_args.l_natt_frag = iph2->ph1->rmconf->esp_frag; #endif