[Swan-dev] nat: ikeport commit broke DDNS tests
Paul Wouters
paul at nohats.ca
Mon Sep 21 03:39:59 UTC 2020
the ikev2-ddns* test cases broke on this commit:
paul at thinkpad:~/libreswan ((cc04507...)|BISECTING)$ git bisect bad
cc045076885ee1f7eab1ac8fbb9c88187961bc01 is the first bad commit
commit cc045076885ee1f7eab1ac8fbb9c88187961bc01
Author: Andrew Cagney <cagney at gnu.org>
Date: Wed Jun 24 22:19:01 2020 -0400
nat: when only one {left,right}ikeport, default other end to 4500 and not 500
For {left,right}ikeport to work wth NAT it must enable espinudp,
and that means all incomming messages on that port must include
the ESP=0 prefix, and that means anything but port 500 (because
an exchange with port 500 never has ESP=0 prefix added).
programs/pluto/connections.c | 33 +++++++++++++----------
programs/pluto/iface.c | 22 +++++++++-------
programs/pluto/iface.h | 59 ++++++++++++++++++++++++++++++------------
programs/pluto/iface_tcp.c | 6 ++---
programs/pluto/iface_udp.c | 9 ++++---
programs/pluto/ikev1_send.c | 22 +++++++++++-----
programs/pluto/ikev2_message.c | 15 +++++++++--
programs/pluto/initiate.c | 19 ++++++++++----
programs/pluto/send.c | 8 +++++-
9 files changed, 133 insertions(+), 60 deletions(-)
When the now-oriented connection tries to send a packet, it prob is
missing a port or something and the OS returns errno 22, and the
packet never appears on the wire.
Paul
More information about the Swan-dev
mailing list