Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: lists.freeswan.org > bugs > 03 > 030012.html (Request Expert lists.freeswan.org Support)

[Bugs] Patch for freeswan 1.99 to aid in interop with broken devices

From: Wayne Schroeder <raz(at)chewies.net>
Date: Mon Mar 03 2003 - 13:07:42 EST


I realize that this is not a bug in freeswan, but figured this was the best place to get a patch 'submitted' for review and possible posting to the freeswan download page. Personally, I belive the behavior the patch produces should be standard.

One day, while we had an on site vpn setup in the works, we determined that the cisco 800 series boxes have a bug in their implementation of ipsec. The cisco 800 series appears to send 17/0 as their PROTO/PORT negoitiation. Looking at the section of code which terminates the tunnel setup, it is obvious that the cisco is at fault (at least from the statements and references to the RFC in the code comments). I dove into the ipsec_doi.c source, changed a trivial lines, and rebuilt programs--worked like a charm. Basically, what I did was change the sanity code which causes abort at invalid proto/port to *try* to move ahead with sane defaults. This shouldn't be news to the freeswan team, but there were plenty of people on newsgroups and mailing lists (via google searche) which were having the same problem. The majority of the responses were 'your other vpn device is broken'.

Personally, I am very glad we were able to change, in a matter of seconds, something on freeswan which helped us interop and saved us quite a bit of time and pain--thank goodness for open source! Keeping with the spirit, here is the patch which made the cisco 800 series work with freeswan 1.99 (we also had x509 patch applied but it shouldn't change anything). I hope that this will be made available to others, at least as an optional patch, to aid with integration with other possibly broken ipsec devices.

Wayne Schroeder <raz@positivenetworks.net> Positive Networks, Inc. 

--------8<----------8<----------------

--- freeswan-1.99-x509/pluto/ipsec_doi.c	Mon Mar  3 11:00:08 2003
+++ freeswan-1.99/pluto/ipsec_doi.c	Mon Mar  3 11:08:54 2003
@@ -1812,5 +1812,8 @@
 	    , IPPROTO_UDP, IKE_UDP_PORT
 	    , id->isaid_doi_specific_a, id->isaid_doi_specific_b);
-	return FALSE;
+	//return FALSE;

+		loglog(RC_LOG_SERIOUS, "Using sane defaults patch to set PROTO/PORT to %d/%d for non RFC compliant remote device.", IPPROTO_UDP, IKE_UDP_PORT);

+		id->isaid_doi_specific_a = IPPROTO_UDP;


+		id->isaid_doi_specific_b = IKE_UDP_PORT;


     }

_______________________________________________
Bugs mailing list
Bugs@lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/bugs Received on Mon Mar 3 13:35:51 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 12:59:30 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library