Package: vpnc
Version: 0.5.3r449-2.1ubuntu1
Severity: normal
Tags: patch
VPNC doesn't offer support for draft-ietf-ipsec-nat-t-ike-03, which is
required by the Fritz!Box series of home routers. This patch adds
support for that feature so that VPNC can connect to these routers.
Also, the default timeout is lowered to 3600 seconds (also required by
Fritz!Boxes).
-- System Information:
Debian Release: squeeze/sid
APT prefers natty-updates
APT policy: (500, 'natty-updates'), (500, 'natty-security'), (500, 'natty')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.38-8-generic (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to de_DE.utf8)
Shell: /bin/sh linked to /bin/dash
Versions of packages vpnc depends on:
ii libc6 2.13-0ubuntu13 Embedded GNU C Library: Shared lib
ii libgcrypt11 1.4.6-4ubuntu2 LGPL Crypto library - runtime libr
ii libgnutls26 2.8.6-1ubuntu2 the GNU TLS library - runtime libr
Versions of packages vpnc recommends:
ii iproute 20100519-3 networking and traffic control too
Versions of packages vpnc suggests:
pn resolvconf <none> (no description available)
-- Configuration Files:
/etc/vpnc/example.conf [Errno 13] Permission denied: u'/etc/vpnc/example.conf'
/etc/vpnc/vpnc-script [Errno 13] Permission denied: u'/etc/vpnc/vpnc-script'
-- no debconf information
diff -urNad vpnc-0.5.3r449.orig/vpnc.c vpnc-0.5.3r449/vpnc.c
--- vpnc-0.5.3r449.orig/vpnc.c 2010-03-18 04:05:23.000000000 +0100
+++ vpnc-0.5.3r449/vpnc.c 2011-06-08 13:01:44.592464761 +0200
@@ -88,6 +88,10 @@
0x90, 0xCB, 0x80, 0x91, 0x3E, 0xBB, 0x69, 0x6E,
0x08, 0x63, 0x81, 0xB5, 0xEC, 0x42, 0x7B, 0x1F
};
+const unsigned char VID_NATT_03[] = { /* "draft-ietf-ipsec-nat-t-ike-03" */
+ 0x7d, 0x94, 0x19, 0xa6, 0x53, 0x10, 0xca, 0x6f,
+ 0x2c, 0x17, 0x9d, 0x92, 0x15, 0x52, 0x9d, 0x56
+};
const unsigned char VID_NATT_RFC[] = { /* "RFC 3947" */
0x4A, 0x13, 0x1C, 0x81, 0x07, 0x03, 0x58, 0x45,
0x5C, 0x57, 0x28, 0xF2, 0x0E, 0x95, 0x45, 0x2F
@@ -141,6 +145,7 @@
{ VID_NATT_01, sizeof(VID_NATT_01), "Nat-T 01" },
{ VID_NATT_02, sizeof(VID_NATT_02), "Nat-T 02" },
{ VID_NATT_02N, sizeof(VID_NATT_02N), "Nat-T 02N" },
+ { VID_NATT_03, sizeof(VID_NATT_03), "Nat-T 03" },
{ VID_NATT_RFC, sizeof(VID_NATT_RFC), "Nat-T RFC" },
{ VID_DWR, sizeof(VID_DWR), "Delete With Reason" },
{ VID_CISCO_FRAG, sizeof(VID_CISCO_FRAG), "Cisco Fragmentation" },
@@ -1082,7 +1087,7 @@
a->af = isakmp_attr_lots;
a->u.lots.length = 4;
a->u.lots.data = xallocc(a->u.lots.length);
- *((uint32_t *) a->u.lots.data) = htonl(2147483);
+ *((uint32_t *) a->u.lots.data) = htonl(3600);
a = new_isakmp_attribute_16(IKE_ATTRIB_LIFE_TYPE, IKE_LIFE_TYPE_SECONDS, a);
a = new_isakmp_attribute_16(IKE_ATTRIB_AUTH_METHOD, auth, a);
a = new_isakmp_attribute_16(IKE_ATTRIB_GROUP_DESC, dh_group, a);
@@ -1267,6 +1272,8 @@
l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
VID_NATT_RFC, sizeof(VID_NATT_RFC));
l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
+ VID_NATT_03, sizeof(VID_NATT_03));
+ l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
VID_NATT_02N, sizeof(VID_NATT_02N));
l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID,
VID_NATT_02, sizeof(VID_NATT_02));
@@ -1501,6 +1508,12 @@
seen_natt_vid = 1;
if (natt_draft < 1) natt_draft = 2;
DEBUG(2, printf("peer is NAT-T capable (RFC 3947)\n"));
+ } else if (rp->u.vid.length == sizeof(VID_NATT_03)
+ && memcmp(rp->u.vid.data, VID_NATT_03,
+ sizeof(VID_NATT_03)) == 0) {
+ seen_natt_vid = 1;
+ if (natt_draft < 1) natt_draft = 2;
+ DEBUG(2, printf("peer is NAT-T capable (draft-03)\n"));
} else if (rp->u.vid.length == sizeof(VID_NATT_02N)
&& memcmp(rp->u.vid.data, VID_NATT_02N,
sizeof(VID_NATT_02N)) == 0) {
@@ -2454,7 +2467,7 @@
a->af = isakmp_attr_lots;
a->u.lots.length = 4;
a->u.lots.data = xallocc(a->u.lots.length);
- *((uint32_t *) a->u.lots.data) = htonl(2147483);
+ *((uint32_t *) a->u.lots.data) = htonl(3600);
a = new_isakmp_attribute_16(ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE, IPSEC_LIFE_SECONDS, a);
if (dh_group)
