Package: vpnc Version: 0.5.3r449-2.1ubuntu1 Severity: normal Tags: patch VPNC doesn't offer support for draft-ietf-ipsec-nat-t-ike-03, which is required by the Fritz!Box series of home routers. This patch adds support for that feature so that VPNC can connect to these routers. Also, the default timeout is lowered to 3600 seconds (also required by Fritz!Boxes).
-- System Information: Debian Release: squeeze/sid APT prefers natty-updates APT policy: (500, 'natty-updates'), (500, 'natty-security'), (500, 'natty') Architecture: amd64 (x86_64) Kernel: Linux 2.6.38-8-generic (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to de_DE.utf8) Shell: /bin/sh linked to /bin/dash Versions of packages vpnc depends on: ii libc6 2.13-0ubuntu13 Embedded GNU C Library: Shared lib ii libgcrypt11 1.4.6-4ubuntu2 LGPL Crypto library - runtime libr ii libgnutls26 2.8.6-1ubuntu2 the GNU TLS library - runtime libr Versions of packages vpnc recommends: ii iproute 20100519-3 networking and traffic control too Versions of packages vpnc suggests: pn resolvconf <none> (no description available) -- Configuration Files: /etc/vpnc/example.conf [Errno 13] Permission denied: u'/etc/vpnc/example.conf' /etc/vpnc/vpnc-script [Errno 13] Permission denied: u'/etc/vpnc/vpnc-script' -- no debconf information
diff -urNad vpnc-0.5.3r449.orig/vpnc.c vpnc-0.5.3r449/vpnc.c --- vpnc-0.5.3r449.orig/vpnc.c 2010-03-18 04:05:23.000000000 +0100 +++ vpnc-0.5.3r449/vpnc.c 2011-06-08 13:01:44.592464761 +0200 @@ -88,6 +88,10 @@ 0x90, 0xCB, 0x80, 0x91, 0x3E, 0xBB, 0x69, 0x6E, 0x08, 0x63, 0x81, 0xB5, 0xEC, 0x42, 0x7B, 0x1F }; +const unsigned char VID_NATT_03[] = { /* "draft-ietf-ipsec-nat-t-ike-03" */ + 0x7d, 0x94, 0x19, 0xa6, 0x53, 0x10, 0xca, 0x6f, + 0x2c, 0x17, 0x9d, 0x92, 0x15, 0x52, 0x9d, 0x56 +}; const unsigned char VID_NATT_RFC[] = { /* "RFC 3947" */ 0x4A, 0x13, 0x1C, 0x81, 0x07, 0x03, 0x58, 0x45, 0x5C, 0x57, 0x28, 0xF2, 0x0E, 0x95, 0x45, 0x2F @@ -141,6 +145,7 @@ { VID_NATT_01, sizeof(VID_NATT_01), "Nat-T 01" }, { VID_NATT_02, sizeof(VID_NATT_02), "Nat-T 02" }, { VID_NATT_02N, sizeof(VID_NATT_02N), "Nat-T 02N" }, + { VID_NATT_03, sizeof(VID_NATT_03), "Nat-T 03" }, { VID_NATT_RFC, sizeof(VID_NATT_RFC), "Nat-T RFC" }, { VID_DWR, sizeof(VID_DWR), "Delete With Reason" }, { VID_CISCO_FRAG, sizeof(VID_CISCO_FRAG), "Cisco Fragmentation" }, @@ -1082,7 +1087,7 @@ a->af = isakmp_attr_lots; a->u.lots.length = 4; a->u.lots.data = xallocc(a->u.lots.length); - *((uint32_t *) a->u.lots.data) = htonl(2147483); + *((uint32_t *) a->u.lots.data) = htonl(3600); a = new_isakmp_attribute_16(IKE_ATTRIB_LIFE_TYPE, IKE_LIFE_TYPE_SECONDS, a); a = new_isakmp_attribute_16(IKE_ATTRIB_AUTH_METHOD, auth, a); a = new_isakmp_attribute_16(IKE_ATTRIB_GROUP_DESC, dh_group, a); @@ -1267,6 +1272,8 @@ l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID, VID_NATT_RFC, sizeof(VID_NATT_RFC)); l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID, + VID_NATT_03, sizeof(VID_NATT_03)); + l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID, VID_NATT_02N, sizeof(VID_NATT_02N)); l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID, VID_NATT_02, sizeof(VID_NATT_02)); @@ -1501,6 +1508,12 @@ seen_natt_vid = 1; if (natt_draft < 1) natt_draft = 2; DEBUG(2, printf("peer is NAT-T capable (RFC 3947)\n")); + } else if (rp->u.vid.length == sizeof(VID_NATT_03) + && memcmp(rp->u.vid.data, VID_NATT_03, + sizeof(VID_NATT_03)) == 0) { + seen_natt_vid = 1; + if (natt_draft < 1) natt_draft = 2; + DEBUG(2, printf("peer is NAT-T capable (draft-03)\n")); } else if (rp->u.vid.length == sizeof(VID_NATT_02N) && memcmp(rp->u.vid.data, VID_NATT_02N, sizeof(VID_NATT_02N)) == 0) { @@ -2454,7 +2467,7 @@ a->af = isakmp_attr_lots; a->u.lots.length = 4; a->u.lots.data = xallocc(a->u.lots.length); - *((uint32_t *) a->u.lots.data) = htonl(2147483); + *((uint32_t *) a->u.lots.data) = htonl(3600); a = new_isakmp_attribute_16(ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE, IPSEC_LIFE_SECONDS, a); if (dh_group)