[Swan-dev] Git master is currently broken with ikev1 nat-t responder

Tuomo Soini tis at foobar.fi
Wed Sep 21 06:45:03 UTC 2016


$ git bisect bad
f37d4a53f08d18b95512edefb77ee821849d1c79 is the first bad commit
commit f37d4a53f08d18b95512edefb77ee821849d1c79
Author: Paul Wouters <pwouters at redhat.com>
Date:   Sat Sep 17 19:02:52 2016 -0400

    pluto: change force-encaps=yes|no to encaps=auto|yes|no
    
    This allows encaps=no to not use ESPinUDP and send ESP packets,
    regardless of NAT-T detection outcome.
    
    Backwards compatibility --forceencaps maps to --encaps yes
    
    The option encaps=no can be useful on Amazon AWS where despite being
    behind NAT, they still route raw ESP packets so the encapsulation is
    not required.

:040000 040000 11c713b3870c01321b8284123563808292c0f755
81d7f6eea9285f5da179781b756f23ad8349721c M	include :040000
040000 7c1d57d6c2c429f2e4d2c29b0f7c0497d43fb35b
339410fae4638ba9c73615cbb053c8ec01f48eeb M	lib :040000 040000
b2152f5d81fe0f0975330e03e3962cff6ae20592
f21a1dfe01a514db703def9128a91b19727c8833 M	programs :040000
040000 b61f0f14e375b81557e300bde1904fe73b0b54fa
8aee3a3203b73ca14b18ff26388a7273201a5687 M	testing

$ git bisect log
git bisect start # good: [8aa3e1b5dc5480a8ff20938fc61bc04c1161e636]
CHANGES: remove extra empty lines git bisect good
8aa3e1b5dc5480a8ff20938fc61bc04c1161e636 # bad:
[29a73d32fe3714d17ec1ffc4701464e98b16a9ab] testing: slowly retransmit
git bisect bad 29a73d32fe3714d17ec1ffc4701464e98b16a9ab # good:
[003d9c56486a0251814d30826e106a7af0e7a235] web: in summary, specify the
commits under test using a git-friendly format git bisect good
003d9c56486a0251814d30826e106a7af0e7a235 # good:
[509b241ce5a8a10ea22efe77b3d50ef942704f75] update changes git bisect
good 509b241ce5a8a10ea22efe77b3d50ef942704f75 # bad:
[af33b7062689690797e179f366ebd4298104cdbe] update changes git bisect
bad af33b7062689690797e179f366ebd4298104cdbe # bad:
[f37d4a53f08d18b95512edefb77ee821849d1c79] pluto: change
force-encaps=yes|no to encaps=auto|yes|no git bisect bad
f37d4a53f08d18b95512edefb77ee821849d1c79 # first bad commit:
[f37d4a53f08d18b95512edefb77ee821849d1c79] pluto: change
force-encaps=yes|no to encaps=auto|yes|no

From responder log with bad version:

Sep 21 09:42:46 foo-gw pluto[22528]: "hq1-4"[1] 89.27.88.180 #32: the
peer proposed: 188.117.5.240/28:0/0 -> 10.81.17.128/25:0/0
Sep 21 09:42:46 foo-gw pluto[22528]: "hq1-4"[1] 89.27.88.180 #154:
ENCAPSULATION_MODE_UDP_TUNNEL_RFC must only be used if NAT-Traversal is
detected
Sep 21 09:42:46 foo-gw pluto[22528]: "hq1-4"[1] 89.27.88.180 #154:
sending encrypted notification BAD_PROPOSAL_SYNTAX to 89.27.88.180:4500
Sep 21 09:42:46 foo-gw pluto[22528]: "hq1-4"[1] 89.27.88.180 #154:
deleting state (STATE_QUICK_R0)

-- 
Tuomo Soini <tis at foobar.fi>
Foobar Linux services
+358 40 5240030
Foobar Oy <http://foobar.fi/>


More information about the Swan-dev mailing list