diff -urNp openswan-2.6.32-orig/programs/pluto/ikev1_aggr.c openswan-2.6.32-cvs-patched/programs/pluto/ikev1_aggr.c
--- openswan-2.6.32-orig/programs/pluto/ikev1_aggr.c 2010-12-17 20:23:54.000000000 -0500
+++ openswan-2.6.32-cvs-patched/programs/pluto/ikev1_aggr.c 2011-01-12 12:59:26.037072703 -0500
@@ -795,6 +795,18 @@ aggr_inR1_outI2_tail(struct msg_digest *
if (!encrypt_message(&md->rbody, st))
return STF_INTERNAL_ERROR; /* ??? we may be partly committed */
+ if(c->newest_isakmp_sa != SOS_NOBODY && st->st_connection->spd.this.xauth_client && st->st_connection->remotepeertype == CISCO) {
+ DBG(DBG_CONTROL, DBG_log("This seems to be rekey, and XAUTH is not supposed to be done again"));
+ st->hidden_variables.st_xauth_client_done = TRUE;
+ st->st_oakley.xauth = 0;
+
+ if(st->st_connection->spd.this.modecfg_client) {
+ DBG(DBG_CONTROL, DBG_log("This seems to be rekey, and MODECFG is not supposed to be done again"));
+ st->hidden_variables.st_modecfg_vars_set = TRUE;
+ st->hidden_variables.st_modecfg_started = TRUE;
+ }
+ }
+
c->newest_isakmp_sa = st->st_serialno;
/* save last IV from phase 1 so it can be restored later so anything
@@ -883,6 +895,18 @@ aggr_inI2_tail(struct msg_digest *md
/**************** done input ****************/
+ if(c->newest_isakmp_sa != SOS_NOBODY && st->st_connection->spd.this.xauth_client && st->st_connection->remotepeertype == CISCO) {
+ DBG(DBG_CONTROL, DBG_log("This seems to be rekey, and XAUTH is not supposed to be done again"));
+ st->hidden_variables.st_xauth_client_done = TRUE;
+ st->st_oakley.xauth = 0;
+
+ if(st->st_connection->spd.this.modecfg_client) {
+ DBG(DBG_CONTROL, DBG_log("This seems to be rekey, and MODECFG is not supposed to be done again"));
+ st->hidden_variables.st_modecfg_vars_set = TRUE;
+ st->hidden_variables.st_modecfg_started = TRUE;
+ }
+ }
+
c->newest_isakmp_sa = st->st_serialno;
update_iv(st); /* Finalize our Phase 1 IV */
@@ -1151,7 +1175,7 @@ aggr_outI1_tail(struct pluto_crypto_req_
}
#endif
- if (!nat_traversal_insert_vid(np, &md->rbody)) {
+ if (!nat_traversal_insert_vid(np, &md->rbody, st)) {
reset_cur_state();
return STF_INTERNAL_ERROR;
}
diff -urNp openswan-2.6.32-orig/programs/pluto/ikev1_main.c openswan-2.6.32-cvs-patched/programs/pluto/ikev1_main.c
--- openswan-2.6.32-orig/programs/pluto/ikev1_main.c 2010-12-17 20:23:54.000000000 -0500
+++ openswan-2.6.32-cvs-patched/programs/pluto/ikev1_main.c 2011-01-12 12:59:44.631048136 -0500
@@ -216,7 +216,7 @@ main_outI1(int whack_sock
int np = --numvidtosend > 0 ? ISAKMP_NEXT_VID : ISAKMP_NEXT_NONE;
/* Add supported NAT-Traversal VID */
- if (!nat_traversal_insert_vid(np, &md.rbody)) {
+ if (!nat_traversal_insert_vid(np, &md.rbody, st)) {
reset_cur_state();
return STF_INTERNAL_ERROR;
}
diff -urNp openswan-2.6.32-orig/programs/pluto/nat_traversal.c openswan-2.6.32-cvs-patched/programs/pluto/nat_traversal.c
--- openswan-2.6.32-orig/programs/pluto/nat_traversal.c 2010-12-17 20:23:54.000000000 -0500
+++ openswan-2.6.32-cvs-patched/programs/pluto/nat_traversal.c 2011-01-12 13:00:01.581048370 -0500
@@ -198,7 +198,7 @@ static void _natd_hash(const struct hash
*
* Used when we're Initiator
*/
-bool nat_traversal_insert_vid(u_int8_t np, pb_stream *outs)
+bool nat_traversal_insert_vid(u_int8_t np, pb_stream *outs, struct state *st)
{
bool r = TRUE;
DBG(DBG_NATT
@@ -207,6 +207,9 @@ bool nat_traversal_insert_vid(u_int8_t n
, nat_traversal_support_non_ike));
if (nat_traversal_support_port_floating) {
+ if (st->st_connection->remotepeertype == CISCO) {
+ if (r) r = out_vid(np, outs, VID_NATT_RFC);
+ } else {
if (r) r = out_vid(ISAKMP_NEXT_VID, outs, VID_NATT_RFC);
if (r) r = out_vid(ISAKMP_NEXT_VID, outs, VID_NATT_IETF_05);
if (r) r = out_vid(ISAKMP_NEXT_VID, outs, VID_NATT_IETF_03);
@@ -214,8 +217,9 @@ bool nat_traversal_insert_vid(u_int8_t n
if (r)
r = out_vid(nat_traversal_support_non_ike ? ISAKMP_NEXT_VID : np,
outs, VID_NATT_IETF_02);
+ }
}
- if (nat_traversal_support_non_ike) {
+ if (nat_traversal_support_non_ike && st->st_connection->remotepeertype != CISCO) {
if (r) r = out_vid(np, outs, VID_NATT_IETF_00);
}
return r;
diff -urNp openswan-2.6.32-orig/programs/pluto/nat_traversal.h openswan-2.6.32-cvs-patched/programs/pluto/nat_traversal.h
--- openswan-2.6.32-orig/programs/pluto/nat_traversal.h 2010-12-17 20:23:54.000000000 -0500
+++ openswan-2.6.32-cvs-patched/programs/pluto/nat_traversal.h 2011-01-12 13:00:08.907049604 -0500
@@ -129,7 +129,7 @@ extern int nat_traversal_espinudp_socket
*/
#ifndef PB_STREAM_UNDEFINED
bool nat_traversal_add_vid(u_int8_t np, pb_stream *outs);
-bool nat_traversal_insert_vid(u_int8_t np, pb_stream *outs);
+bool nat_traversal_insert_vid(u_int8_t np, pb_stream *outs, struct state *st);
#endif
u_int32_t nat_traversal_vid_to_method(unsigned short nat_t_vid);
diff -urNp openswan-2.6.32-orig/programs/pluto/spdb_v1_struct.c openswan-2.6.32-cvs-patched/programs/pluto/spdb_v1_struct.c
--- openswan-2.6.32-orig/programs/pluto/spdb_v1_struct.c 2010-12-17 20:23:54.000000000 -0500
+++ openswan-2.6.32-cvs-patched/programs/pluto/spdb_v1_struct.c 2011-01-12 13:00:40.692054622 -0500
@@ -1547,7 +1547,7 @@ parse_ipsec_transform(struct isakmp_tran
case SA_LIFE_TYPE_SECONDS:
/* silently limit duration to our maximum */
attrs->life_seconds = val <= SA_LIFE_DURATION_MAXIMUM
- ? val : SA_LIFE_DURATION_MAXIMUM;
+ ? (val < st->st_connection->sa_ipsec_life_seconds ? val : st->st_connection->sa_ipsec_life_seconds) : SA_LIFE_DURATION_MAXIMUM;
break;
case SA_LIFE_TYPE_KBYTES:
attrs->life_kilobytes = val;
@@ -1613,7 +1613,13 @@ parse_ipsec_transform(struct isakmp_tran
loglog(RC_LOG_SERIOUS,
"%s must only be used with old IETF drafts",
enum_name(&enc_mode_names, val));
+ if(st->st_connection->remotepeertype == CISCO) {
+ DBG_log( "Allowing, as this may be due to rekey");
+ attrs->encapsulation = val - ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS + ENCAPSULATION_MODE_TUNNEL;
+ }
+ else {
return FALSE;
+ }
}
else if (st->hidden_variables.st_nat_traversal & NAT_T_DETECTED) {
attrs->encapsulation = val - ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS + ENCAPSULATION_MODE_TUNNEL;
diff -urNp openswan-2.6.32-orig/programs/_updown.netkey/_updown.netkey.in openswan-2.6.32-cvs-patched/programs/_updown.netkey/_updown.netkey.in
--- openswan-2.6.32-orig/programs/_updown.netkey/_updown.netkey.in 2011-01-12 12:31:15.237048214 -0500
+++ openswan-2.6.32-cvs-patched/programs/_updown.netkey/_updown.netkey.in 2011-01-12 12:58:50.291049690 -0500
@@ -318,6 +318,40 @@ addsource() {
return $st
}
+delsource() {
+ st=0
+ # check if given sourceip is local and add as alias if not
+ if ip -o route get ${PLUTO_MY_SOURCEIP%/*} | grep -q ^local; then
+ #it="ip addr del ${PLUTO_MY_SOURCEIP%/*}/32 label ${PLUTO_INTERFACE%:*}:1 dev ${PLUTO_INTERFACE%:*}"
+
+ saddr=${PLUTO_MY_SOURCEIP%/*}/32
+ if test "${PLUTO_PEER_CLIENT##*/}" != 32
+ then
+ saddr=${PLUTO_MY_SOURCEIP%/*}/"${PLUTO_PEER_CLIENT##*/}"
+ fi
+
+ it="ip addr del ${saddr} dev ${PLUTO_INTERFACE%:*}"
+
+ oops="`eval $it 2>&1`"
+ st=$?
+ if [ " $oops" = " " -a " $st" != " 0" ]; then
+ oops="silent error, exit status $st"
+ fi
+ case "$oops" in
+ 'RTNETLINK answers: File exists'*)
+ # should not happen, but ... ignore if the
+ # address was already assigned on interface
+ oops=""
+ st=0
+ ;;
+ esac
+ if [ " $oops" != " " -o " $st" != " 0" ]; then
+ echo "$0: addsource \`$it' failed ($oops)" >&2
+ fi
+ fi
+ return $st
+}
+
doroute() {
if [ -z "$PLUTO_MY_SOURCEIP" ] && [ -n "$DEFAULTSOURCE" ]
@@ -357,6 +391,10 @@ doroute() {
parms2="$parms2 src ${PLUTO_MY_SOURCEIP%/*}"
fi
+ if [ "$1" = "del" -a -n "$PLUTO_MY_SOURCEIP" ]; then
+ delsource
+ fi
+
case "$PLUTO_PEER_CLIENT" in
"0.0.0.0/0")
# opportunistic encryption work around
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
e8916e5cb6487118130934db089d8fa5
>
files
>
9
