vpnc at unix-ag
Jun 10, 2008, 5:53 PM
Post #1 of 1
(51 views)
Permalink
|
|
svn commit: vpnc r289 - /trunk/vpnc.c
|
|
Author: Joerg Mayer
Date: Wed Jun 11 02:53:10 2008
New Revision: 289
Log:
Johan Fischer <jfischer[at]cmss-systems.com>
We recently upgraded our netscreen ScreenOS firewall from 5.4 to 6.0. vpnc trunk
M284 was working perfectly fine with the previous screenOS 5.4.0, but after the
upgrade, we had intermittent problem during the init of the connection.
The problem seems to be that the vpn endpoint is sending a UDP NAT-keepalive
packet in the middle of the Xauth and breaks the client expecting the xauth
result (which closes the vpn connection).
[...]
This is a similar problem that the SonicWall problem reported in Nov 2007
(http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/2007-November/001981.html).
After investigating a bit more the function and flow, it seems I have
misconfiguration of the active NAT setting.
the function recv_ignore_dup is called but because my active_nat is different
than NATT_ACTIVE_DRAFT_OLD, the function is not discarding the packet.
[patch deleted]
The connection is now always successful and the logs are indicating:
Received UDP Nat-Keepalive bug nat active mode incorrect: 3
Received UDP Nat-Keepalive bug nat active mode incorrect: 3
3 seems to match NATT_ACTIVE_RFC /* draft 2 and RFC3947 / RFC3948 */
in tunip.h
So somewhere, either vpnc or the screenOS system negociated a wrong NAT :/
Will check further.
Find attached the full patch to vpnc.c which also includes some new VID and
DEBUG2 messages for the IKE negociation. (some part should be discarded and were
use to debug).
Modified:
trunk/vpnc.c
Modified: trunk/vpnc.c
==============================================================================
--- trunk/vpnc.c (original)
+++ trunk/vpnc.c Wed Jun 11 02:53:10 2008
@@ -111,6 +111,12 @@
0x00, 0x00, 0x00, 0x00
};
+const unsigned char VID_HEARTBEAT_NOTIFY[] = { /*Heartbeat Notify*/
+ 0x48, 0x65, 0x61, 0x72, 0x74, 0x42, 0x65, 0x61,
+ 0x74, 0x5f, 0x4e, 0x6f, 0x74, 0x69, 0x66, 0x79,
+ 0x38, 0x6b, 0x01, 0x00
+};
+
struct vid_element {
const unsigned char* valueptr;
const uint16_t length;
@@ -128,6 +134,7 @@
{ VID_NATT_RFC, sizeof(VID_NATT_RFC), "Nat-T RFC" },
{ VID_CISCO_FRAG, sizeof(VID_CISCO_FRAG), "Cisco Fragmentation" },
{ VID_NETSCREEN_15, sizeof(VID_NETSCREEN_15), "Netscreen 15" },
+ { VID_HEARTBEAT_NOTIFY, sizeof(VID_HEARTBEAT_NOTIFY), "Heartbeat Notify" },
{ NULL, 0, NULL }
};
@@ -141,7 +148,7 @@
int vid_index = 0;
- if (opt_debug < 3)
+ if (opt_debug < 2)
return;
while (vid_list[vid_index].length) {
@@ -305,11 +312,17 @@
error(1, errno, "receiving packet");
if ((unsigned int)recvsize > recvbufsize)
error(1, errno, "received packet too large for buffer");
-
- /* skip NAT-T draft-0 keepalives */
- if ((s->ipsec.natt_active_mode == NATT_ACTIVE_DRAFT_OLD) &&
- (recvsize == 1) && (*((u_char *)(recvbuf)) == 0xff))
+
+ /* skip (not only) NAT-T draft-0 keepalives */
+ if ( /* (s->ipsec.natt_active_mode == NATT_ACTIVE_DRAFT_OLD) && */
+ (recvsize == 1) && (*((u_char *)(recvbuf)) == 0xff))
+ {
+ if ((s->ipsec.natt_active_mode != NATT_ACTIVE_DRAFT_OLD))
+ {
+ DEBUG(2, printf("Received UDP NAT-Keepalive bug nat active mode incorrect: %d\n", s->ipsec.natt_active_mode));
+ }
return -1;
+ }
hash_len = gcry_md_get_algo_dlen(GCRY_MD_SHA1);
resend_check_hash = malloc(hash_len);
@@ -1430,6 +1443,14 @@
} else {
DEBUG(2, printf("ignoring that peer is DPD capable (RFC3706)\n"));
}
+ } else if (rp->u.vid.length == sizeof(VID_NETSCREEN_15)
+ && memcmp(rp->u.vid.data, VID_NETSCREEN_15,
+ sizeof(VID_NETSCREEN_15)) == 0) {
+ DEBUG(2, printf("peer is using ScreenOS 5.3, 5.4 or 6.0\n"));
+ } else if (rp->u.vid.length == sizeof(VID_HEARTBEAT_NOTIFY)
+ && memcmp(rp->u.vid.data, VID_HEARTBEAT_NOTIFY,
+ sizeof(VID_HEARTBEAT_NOTIFY)) == 0) {
+ DEBUG(2, printf("peer sent Heartbeat Notify payload\n"));
} else {
hex_dump("unknown ISAKMP_PAYLOAD_VID",
rp->u.vid.data, rp->u.vid.length, NULL);
_______________________________________________
vpnc-devel mailing list
vpnc-devel[at]unix-ag.uni-kl.de
https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel
http://www.unix-ag.uni-kl.de/~massar/vpnc/
|
