Summary: | wildcard patch in security/ipsec-tools breaks aggressive tunnels | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Ports & Packages | Reporter: | andywhite | ||||||
Component: | Individual Port(s) | Assignee: | Eugene Grosbein <eugen> | ||||||
Status: | Closed FIXED | ||||||||
Severity: | Affects Some People | CC: | andywhite, eugen, pi, w.schwarzenfeld | ||||||
Priority: | --- | Flags: | pi:
maintainer-feedback-
|
||||||
Version: | Latest | ||||||||
Hardware: | Any | ||||||||
OS: | Any | ||||||||
Attachments: |
|
Description
andywhite
2015-09-24 12:19:05 UTC
Created attachment 161355 [details]
patch to fix aggressive mode tunnels with PSK
wilcard patch exposures existing bug where agressive tunnels using ip addresses for identification were not matching the entry in the PSK file, due to the identifier not being cast to a 'xxx.xxx.xxx.xxx' notation.
This patch checks if the identity type is and ADDR and if it is, uses a sockaddr struct to call the getpskbyaddr function instead of getpskbyname.
log now looks like this with a wildcard entry. Note that "NOTIFY: couldn't find the proper pskey, try to get one by the peer's address." entry is not displayed anymore in the log, as was previously. racoon: INFO: IPsec-SA established: ESP/Tunnel X.X.255.166[500]->X.X.255.164[500] spi=222490682(0xd42f03a) racoon: INFO: IPsec-SA established: ESP/Tunnel X.X.255.166[500]->X.X.255.164[500] spi=114112937(0x6cd39a9) racoon: INFO: initiate new phase 2 negotiation: X.X.255.166[500]<=>X.X.255.164[500] racoon: INFO: ISAKMP-SA established X.X.255.166[500]-X.X.255.164[500] spi:e44202367c108922:e6b336ca8ab4a244 racoon: [X.X.255.166] INFO: Hashing X.X.255.166[500] with algo #2 racoon: [X.X.255.164] INFO: Hashing X.X.255.164[500] with algo #2 racoon: INFO: Adding remote and local NAT-D payloads. racoon: INFO: NAT not detected racoon: INFO: NAT-D payload #0 verified racoon: [X.X.255.164] INFO: Hashing X.X.255.164[500] with algo #2 racoon: INFO: NAT-D payload #-1 verified racoon: [X.X.255.166] INFO: Hashing X.X.255.166[500] with algo #2 racoon: [X.X.255.164] INFO: Selected NAT-T version: RFC 3947 racoon: INFO: received Vendor ID: DPD racoon: INFO: received Vendor ID: RFC 3947 racoon: INFO: begin Aggressive mode. racoon: INFO: initiate new phase 1 negotiation: X.X.255.166[500]<=>X.X.255.164[500] racoon: INFO: IPsec-SA request for X.X.255.164 queued due to no phase1 found. Created attachment 161414 [details]
patch
Patch formatted to easily apply to the port.
Is this still relevant? yes, needs run-test. would be nice if this patch was added to the port Re-set Assignee due to long inactivity period. A commit references this bug: Author: eugen Date: Mon Jul 1 04:49:33 UTC 2019 New revision: 505537 URL: https://svnweb.freebsd.org/changeset/ports/505537 Log: security/ipsec-tools: fix aggressive mode tunnels with wildcard-psk config Wilcard patch exposures existing bug where agressive tunnels using ip addresses for identification were not matching the entry in the PSK file, due to the identifier not being cast to a 'xxx.xxx.xxx.xxx' notation. PR: 203308 Submitted by: andywhite@gmail.com (based on) Changes: head/security/ipsec-tools/Makefile head/security/ipsec-tools/files/wildcard-psk-oakley.c.diff Committed, thank you for sumbission. |