Bug 217131

Summary: [patch] security/ipsec-tools add patch for better NAT-T support
Product: Ports & Packages Reporter: Andrey V. Elsukov <ae>
Component: Individual Port(s)Assignee: VANHULLEBUS Yvan <vanhu>
Status: Closed FIXED    
Severity: Affects Only Me CC: eugen, notregisterednick, ports
Priority: --- Keywords: patch
Version: LatestFlags: eugen: maintainer-feedback-
Hardware: Any   
OS: Any   
Attachments:
Description Flags
patch
none
patch none

Description Andrey V. Elsukov freebsd_committer freebsd_triage 2017-02-16 10:31:08 UTC 
Created attachment 180038 [details]
patch

This patch adds NATT_EXTRA_PATCHES=natt.diff and enables only UDP encapsulation defined in RFC3948.

The natt.diff patch contains the following changes:
* added support for SADB_X_EXT_NAT_T_OAI and SADB_X_EXT_NAT_T_OAR PF_KEY messages;
* used NAT address instead of original for SAs created by racoon;
* NAT-T keep-alives now sends only by NATed host.

Several people reported that now they are able to use NAT-T in transport mode with IPsec from projects/ipsec. However I did not tested how it affects IPsec implementation from stable/9,10,11. From quick look it should not affect something that worked earlier.
Comment 1 Andrey V. Elsukov freebsd_committer freebsd_triage 2017-02-18 16:05:07 UTC 
Created attachment 180110 [details]
patch

Fix bug in one chunk. OAi/OAr addresses should be reversed, because they present peer's view of addresses.
Comment 2 Eugene Grosbein 2017-03-11 11:05:04 UTC 
I've tested this path with new kernel IPSEC code committed to head by Andrey and it just works.

Please commit the patch.
Comment 3 commit-hook freebsd_committer freebsd_triage 2017-04-18 14:36:28 UTC 
A commit references this bug:

Author: eugen
Date: Tue Apr 18 14:36:08 UTC 2017
New revision: 438782
URL: https://svnweb.freebsd.org/changeset/ports/438782

Log:
  This patch adds NATT_EXTRA_PATCHES=natt.diff and enables only UDP encapsulation defined in RFC3948.

  The natt.diff patch contains the following changes:
  * added support for SADB_X_EXT_NAT_T_OAI and SADB_X_EXT_NAT_T_OAR PF_KEY messages;
  * used NAT address instead of original for SAs created by racoon;
  * NAT-T keep-alives now sends only by NATed host.

  Tested with 11.0-STABLE after projects/ipsec merge.

  PR:		217131
  Submitted by:	Andrey V. Elsukov
  Approved by:	VANHULLEBUS Yvan (maintainer timeout, 2 months), vsevolod (mentor)

Changes:
  head/security/ipsec-tools/Makefile
  head/security/ipsec-tools/files/natt.diff