[Swan-dev] [Swan] Multiple clients behind the same NAT IP get dropped - IPSec / xauth
Antonio Silva
asilva at wirelessmundi.com
Thu Aug 25 08:48:59 UTC 2016
Paul,
I just compile the version 3.18 with this changes you told and it fixes
the issue, i can connect two users behind the same nat with xauth and
the traffic is ok.
I guess that this is safe to put in production, no?
Thanks.
NOTE: you patch fail to apply on 3.18, here the updated patch that i used:
diff -rNu libreswan-3.18-orig/programs/pluto/connections.c
libreswan-3.18/programs/pluto/connections.c
--- libreswan-3.18-orig/programs/pluto/connections.c 2016-07-27
15:01:34.000000000 +0200
+++ libreswan-3.18/programs/pluto/connections.c 2016-08-25
10:28:48.214940448 +0200
@@ -1754,9 +1754,6 @@
t->log_file = NULL;
t->log_file_err = FALSE;
- t->spd.reqid = group->spd.reqid == 0 ?
- gen_reqid() : group->spd.reqid;
-
/* add to connections list */
t->ac_next = connections;
connections = t;
@@ -1832,7 +1829,7 @@
default_end(&d->spd.this, &d->spd.that.host_addr);
d->spd.spd_next = NULL;
- d->spd.reqid = c->spd.reqid == 0 ? gen_reqid() : c->spd.reqid;
+ d->spd.reqid = gen_reqid();
/* set internal fields */
d->ac_next = connections;
On 08/25/2016 10:25 AM, Antonio Silva wrote:
> Hi Paul,
>
> Can i apply this patch to version 3.18?
> i notice that the code is a bit different... but i do see the line in
> programs/pluto/connections.c:
>
> d->spd.reqid = c->spd.reqid == 0 ? gen_reqid() : c->spd.reqid;
>
>
>
>
> On 08/23/2016 11:10 PM, Paul Wouters wrote:
>> On Tue, 23 Aug 2016, Lennart Sorensen wrote:
>>
>>>> @@ -1819,6 +1821,9 @@ char *add_group_instance(struct connection
>>>> *group, const i p_subnet *target)
>>>>
>>>> t->spd.reqid = group->spd.reqid == 0 ?
>>>> gen_reqid() : group->spd.reqid;
>>>> + t->spd.reqid = gen_reqid(); + +
>>>>
>>>> /* add to connections list */
>>>> t->ac_next = connections;
>>>
>>> That doesn't look like valid syntax with all those '+'
>>>
>>> And that line seems like it overrides the previous like, so what is the
>>> point in doing that?
>>
>> Sorry, let me try explain and fixup the patch :)
>>
>> When we add_connection(), we check if the user supplied a reqid= option.
>> If so, use that. Otherwise, generate a unique one:
>>
>> c->spd.reqid = wm->sa_reqid == 0 ? gen_reqid() :
>> wm->sa_reqid;
>>
>> Then in instantiate() we again checked for reqid being 0 and if so,
>> generate one. Since it was never 0 anymore, it would never generate
>> one, meaning all instances received the same number generated on the
>> original add_connection() call.
>>
>> So the proper patch would be:
>>
>> diff --git a/programs/pluto/connections.c b/programs/pluto/connections.c
>> index 0e3c23e..634c12f 100644
>> --- a/programs/pluto/connections.c
>> +++ b/programs/pluto/connections.c
>> @@ -1756,9 +1756,6 @@ char *add_group_instance(struct connection
>> *group, const ip_subnet *target)
>> t->log_file = NULL;
>> t->log_file_err = FALSE;
>>
>> - t->spd.reqid = group->spd.reqid == 0 ?
>> - gen_reqid() : group->spd.reqid;
>> -
>> /* add to connections list */
>> t->ac_next = connections;
>> connections = t;
>> @@ -1834,7 +1831,7 @@ struct connection *instantiate(struct
>> connection *c, const ip_address *him,
>> default_end(&d->spd.this, &d->spd.that.host_addr);
>> d->spd.spd_next = NULL;
>>
>> - d->spd.reqid = c->spd.reqid == 0 ? gen_reqid() : c->spd.reqid;
>> + d->spd.reqid = gen_reqid();
>>
>> /* set internal fields */
>> d->ac_next = connections;
>> _______________________________________________
>> Swan-dev mailing list
>> Swan-dev at lists.libreswan.org
>> https://lists.libreswan.org/mailman/listinfo/swan-dev
>
--
Saludos / Regards / Cumprimentos,
António silva
More information about the Swan-dev
mailing list