Created attachment 151900 [details] Upgrade to 0.8.2 and add wildacrd-PSK-matching-option Please find attached the diff for ipsec-tools 0.8.2 upgrade. I also simplified pkg-plist by replacing %%EXAMPLESDIR%% with PORTEXAMPLES=, but I'm not familar with this new method – monkey see monkey do. Additionally I added an option which applys a well known patch allowing wildcard matching in psk.txt. It's off by default, but there are common scenarios where people can accept the security relaxation to be able to provide special kinds of road-warrior access, so they simply can use that knob. Thanks, -Harry
Auto-assigned to maintainer vanhu@FreeBSD.org
+1 for including the wildcard-PSK patch as an option. I've been using this patch for years with success on hundreds of systems, always manually hacking it into the port.
FYI there is a minor typo in WCPSKEY_DESC. Should read "Allow wildcard" not "Allow wildard".
Ok for me, as wildcard patch is disabled by default.
Can I expect this to get committed sometime soon and include the wildcard option?
(In reply to ncrogers from comment #5) I guess vanhu@ (maintainer) has replied in comment4, but according to svn log it seems he doesn't have committ bit. I don't have either... Who/how can we find somebody? CCing ports@
I'll test it.
builds fine on 10.1a, 9.3a, but breaks on 8.4i ? http://people.freebsd.org/~pi/logs/security__ipsec-tools-84i-1423248840.txt Any ideas ?
ipsec-tools is excpecting utmpx which is missing on 8.x. So this version is only for newer versions of FreeBSD. Can someone provide a patch to still work with utmp ?
Perhaps Ed can take a look. http://lists.freebsd.org/pipermail/freebsd-current/2010-January/014893.html
Thanks, I poked ed@
*Never* CC the ports mailing list, thanks. I am removing it from the list.
Created attachment 152636 [details] patch to disable utmpx on 8.x
ed provided the patch to disable utmpx. Building fine on 8.4x
A commit references this bug: Author: pi Date: Fri Feb 6 20:31:56 UTC 2015 New revision: 378554 URL: https://svnweb.freebsd.org/changeset/ports/378554 Log: security/ipsec-tools: 0.8.1 -> 0.8.2 From ChangeLog: - Fix admin port establish-sa for tunnel mode SAs (Alexander Sbitnev) - Fix source port selection regression from version 0.8.1 - Various logging improvements - Additional compliance and build fixes From submitter: - extra patch to adding wildcard psk option PR: 196930 Submitted by: Harald Schmalzbauer <bugzilla.freebsd@omnilan.de>, Ed Schouten <ed@80368.nl> Approved by: vanhu (maintainer) Changes: head/security/ipsec-tools/Makefile head/security/ipsec-tools/distinfo head/security/ipsec-tools/files/patch-src-racoon-isakmp_cfg.c head/security/ipsec-tools/files/wildcard-psk.diff head/security/ipsec-tools/pkg-plist
Committed with further fixes from Ed Schouten. Thanks to all who got involved!
Port fails to build for me on 8.4 -- the newly added patch-src-racoon-isakmp_cfg.c conflicts with the existing patch8-utmp.diff. If I rm files/patch-src-racoon-isakmp_cfg.c it builds fine, so I think this duplicate patch can just be dropped. (The old patch replaced utmpx with utmp, while the new one removes utmpx entirely, so unless it's incorrect, patch8-utmp.diff appears better.) Not sure why the person in comment #8 had their build fail -- apparently they weren't triggering this section of the Makefile and thus not having patch8-utmp applied: .if ${OSVERSION} < 900007 EXTRA_PATCHES= ${FILESDIR}/patch8-utmp.diff .endif
Wildcard patch appears to break tunnels in Aggressive mode that use PSK, once there is a wildcard key in the PSK file. with patch applied but no wildcard in the psk file racoon: INFO: IPsec-SA request for X.X.255.179 queued due to no phase1 found. racoon: INFO: initiate new phase 1 negotiation: X.X.255.182[500]<=>X.X.255.179[500] racoon: INFO: begin Aggressive mode. racoon: INFO: received Vendor ID: RFC 3947 racoon: INFO: received Vendor ID: DPD racoon: [X.X.255.179] INFO: Selected NAT-T version: RFC 3947 racoon: [X.X.255.182] INFO: Hashing X.X.255.182[500] with algo #2 racoon: INFO: NAT-D payload #-1 verified racoon: [X.X.255.179] INFO: Hashing X.X.255.179[500] with algo #2 racoon: INFO: NAT-D payload #0 verified racoon: INFO: NAT not detected racoon: [X.X.255.179] NOTIFY: couldn't find the proper pskey, try to get one by the peer's address. racoon: INFO: Adding remote and local NAT-D payloads. racoon: [X.X.255.179] INFO: Hashing X.X.255.179[500] with algo #2 racoon: [X.X.255.182] INFO: Hashing X.X.255.182[500] with algo #2 racoon: INFO: ISAKMP-SA established X.X.255.182[500]-X.X.255.179[500] spi:78e9f4efeaccc1a8:949caf456c915321 racoon: INFO: initiate new phase 2 negotiation: X.X.255.182[500]<=>X.X.255.179[500] racoon: INFO: IPsec-SA established: ESP/Tunnel X.X.255.182[500]->X.X.255.179[500] spi=43872531(0x29d7113) racoon: INFO: IPsec-SA established: ESP/Tunnel X.X.255.182[500]->X.X.255.179[500] spi=19415386(0x128415a) adding a wildcard to the psk, no other configuration change racoon: INFO: IPsec-SA request for X.X.255.179 queued due to no phase1 found. racoon: INFO: initiate new phase 1 negotiation: X.X.255.182[500]<=>X.X.255.179[500] racoon: INFO: begin Aggressive mode. racoon: INFO: received Vendor ID: RFC 3947 racoon: INFO: received Vendor ID: DPD racoon: [X.X.255.179] INFO: Selected NAT-T version: RFC 3947 racoon: [X.X.255.182] INFO: Hashing X.X.255.182[500] with algo #2 racoon: INFO: NAT-D payload #-1 verified racoon: [X.X.255.179] INFO: Hashing X.X.255.179[500] with algo #2 racoon: INFO: NAT-D payload #0 verified racoon: INFO: NAT not detected racoon: ERROR: HASH mismatched