[Swan] OSX Server interop patch, was Re: Connecting to OS X Server
Paul Wouters
paul at nohats.ca
Mon Jan 12 07:24:05 EET 2015
On Sun, 11 Jan 2015, Ali Gangji wrote:
> Date: Sun, 11 Jan 2015 12:47:04
> 004 "ner" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP1024}
So this is good. phase1 is up. Better than your phase1 errors before.
> 117 "ner" #2: STATE_QUICK_I1: initiate
starting phase2....
> 003 "ner" #2: DOI of ISAKMP Notification Payload has an unknown value: 16777216
So the DOI (Domain of Interpretation) is a 4 octet value. It can either
contain 0 for ISAKMP or 1 for IPsec.
See: http://www.iana.org/assignments/ipsec-registry/ipsec-registry.xhtml#ipsec-registry-19
So 16777216 is pretty wrong. Note that this value in hex is 0x1000000.
So this makes be believe that the other end screwed up network and host
order:
$ python
Python 2.7.5 (default, Nov 3 2014, 14:33:39)
[GCC 4.8.3 20140911 (Red Hat 4.8.3-7)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> hex(16777216)
'0x1000000'
>>> import socket
>>> socket.htonl(1)
16777216L
So this looks like an OSX server bug. Please try the attached patch,
Note this will only ignore their bad value on our end. If you reverse
directions, things might still break if they don't like a real 1 and
insist on 16777216.
Paul
-------------- next part --------------
diff --git a/include/ietf_constants.h b/include/ietf_constants.h
index 784ec73..c47c984 100644
--- a/include/ietf_constants.h
+++ b/include/ietf_constants.h
@@ -435,6 +435,8 @@
/* Domain of Interpretation */
#define ISAKMP_DOI_ISAKMP 0
#define ISAKMP_DOI_IPSEC 1
+/* htonl(1) == 16777216 */
+#define ISAKMP_DOI_OSX_SERVER_HTONL_BUG 16777216
/* IPsec DOI things */
diff --git a/programs/pluto/ikev1_spdb_struct.c b/programs/pluto/ikev1_spdb_struct.c
index d3d32f9..6216fd0 100644
--- a/programs/pluto/ikev1_spdb_struct.c
+++ b/programs/pluto/ikev1_spdb_struct.c
@@ -850,10 +850,14 @@ notification_t parse_isakmp_sa_body(pb_stream *sa_pbs, /* body of input SA Payl
/* DOI */
if (sa->isasa_doi != ISAKMP_DOI_IPSEC) {
- loglog(RC_LOG_SERIOUS, "Unknown/unsupported DOI %s",
- enum_show(&doi_names, sa->isasa_doi));
- /* XXX Could send notification back */
- return DOI_NOT_SUPPORTED;
+ if (sa->isasa_doi == ISAKMP_DOI_OSX_SERVER_HTONL_BUG) {
+ loglog(RC_LOG_SERIOUS, "OSX Server DOI htonl(1) bug workaround enabled");
+ } else {
+ loglog(RC_LOG_SERIOUS, "Unknown/unsupported DOI %s",
+ enum_show(&doi_names, sa->isasa_doi));
+ /* XXX Could send notification back */
+ return DOI_NOT_SUPPORTED;
+ }
}
/* Situation */
More information about the Swan
mailing list