diff options
| author | Eugene Grosbein <eugen@FreeBSD.org> | 2019-03-27 08:56:35 +0000 |
|---|---|---|
| committer | Eugene Grosbein <eugen@FreeBSD.org> | 2019-03-27 08:56:35 +0000 |
| commit | 6f8db9116757748957c3e3f0f20f71e6a8d524e9 (patch) | |
| tree | 1a43101142d5eae60dd7d8e6e5736d9c76fb9e20 | |
| parent | 2c51c0087b8c36534d149b72704a9f284d331f53 (diff) | |
| download | freebsd-ports-6f8db9116757748957c3e3f0f20f71e6a8d524e9.zip | |
security/ipsec-tools: small correction NATT patch
This change fixes rare case for "site to site" IPSec tunnel mode
when remote peer is behind NAT and has its own LAN behind.
Now this works too (previously NATT worked only for single host behind NAT).
| -rw-r--r-- | security/ipsec-tools/Makefile | 2 | ||||
| -rw-r--r-- | security/ipsec-tools/files/natt.diff | 6 |
2 files changed, 5 insertions, 3 deletions
diff --git a/security/ipsec-tools/Makefile b/security/ipsec-tools/Makefile index 4223855ea4d8..e16034a691f8 100644 --- a/security/ipsec-tools/Makefile +++ b/security/ipsec-tools/Makefile @@ -8,7 +8,7 @@ PORTNAME= ipsec-tools PORTVERSION= 0.8.2 -PORTREVISION= 7 +PORTREVISION= 8 CATEGORIES= security MASTER_SITES= SF diff --git a/security/ipsec-tools/files/natt.diff b/security/ipsec-tools/files/natt.diff index 0b1c0c26938f..ff0daa44475c 100644 --- a/security/ipsec-tools/files/natt.diff +++ b/security/ipsec-tools/files/natt.diff @@ -82,12 +82,14 @@ return pfkey_send_add2(&psaa); --- src/racoon/isakmp_quick.c +++ src/racoon/isakmp_quick.c -@@ -2390,6 +2390,32 @@ get_proposal_r(iph2) +@@ -2390,6 +2390,34 @@ spidx.src.ss_family, spidx.dst.ss_family, _XIDT(iph2->id_p),idi2type); } +#ifdef ENABLE_NATT -+ if (iph2->ph1->natt_flags & NAT_DETECTED_PEER) { ++ if (iph2->ph1->natt_flags & NAT_DETECTED_PEER ++ && _XIDT(iph2->id) != IPSECDOI_ID_IPV4_ADDR_SUBNET ++ && _XIDT(iph2->id) != IPSECDOI_ID_IPV6_ADDR_SUBNET) { + u_int16_t port; + + port = extract_port(&spidx.src); |