On Thu, Jan 16, 2020 at 06:24:47PM +0100, Tobias Heider wrote:
> Hi,
>
> this diff adds a '-p' command line option which allows to configure
> the used UDP encapsulation port, similar to isakmpd's '-N' flag.
>
> UDP encapsulation is primarily used with IPsec NAT traversal
> but with this diff it might as well be interesting in cases where
> ESP and UDP ports 500 and 4500 are blocked or rate limited.
>
> To receive UDP encapsulated ESP traffic on a port other than 4500
> the sysctl option 'net.inet.esp.udpencap_port' has to be set
> accordingly.
> I am considering extending the pfkey interface in the future, so
> that iked can also handle the kernel port, but for now the sysctl
> has to be set manually.
>
> ok?
>
Minor man page fixes.
Index: config.c
===================================================================
RCS file: /cvs/src/sbin/iked/config.c,v
retrieving revision 1.52
diff -u -p -r1.52 config.c
--- config.c 7 Jan 2020 15:08:28 -0000 1.52
+++ config.c 16 Jan 2020 18:15:00 -0000
@@ -988,6 +988,29 @@ config_setkeys(struct iked *env)
}
int
+config_setnattport(struct iked *env)
+{
+ in_port_t nattport;
+
+ nattport = env->sc_nattport;
+ proc_compose(&env->sc_ps, PROC_IKEV2, IMSG_CTL_NATTPORT,
+ &nattport, sizeof(nattport));
+ return (0);
+}
+
+int
+config_getnattport(struct iked *env, struct imsg *imsg)
+{
+ in_port_t nattport;
+
+ IMSG_SIZE_CHECK(imsg, &nattport);
+ memcpy(&nattport, imsg->data, sizeof(nattport));
+ env->sc_nattport = nattport;
+ log_debug("%s: nattport %u", __func__, env->sc_nattport);
+ return (0);
+}
+
+int
config_getkey(struct iked *env, struct imsg *imsg)
{
size_t len;
Index: iked.8
===================================================================
RCS file: /cvs/src/sbin/iked/iked.8,v
retrieving revision 1.23
diff -u -p -r1.23 iked.8
--- iked.8 14 Jan 2020 22:28:29 -0000 1.23
+++ iked.8 16 Jan 2020 18:15:00 -0000
@@ -25,6 +25,7 @@
.Op Fl dnSTtv
.Op Fl D Ar macro Ns = Ns Ar value
.Op Fl f Ar file
+.Op Fl p Ar udpencap_port
.Sh DESCRIPTION
.Nm
is an Internet Key Exchange (IKEv2) daemon which performs mutual
@@ -75,6 +76,10 @@ as the configuration file, instead of th
.It Fl n
Configtest mode.
Only check the configuration file for validity.
+.It Fl p Ar udpencap-port
+Specify the listen port for encapsulated UDP that
+the daemon will bind to as well as the UDP encapsulation port set
+in resulting IPsec SAs.
.It Fl S
Start
.Nm
Index: iked.c
===================================================================
RCS file: /cvs/src/sbin/iked/iked.c,v
retrieving revision 1.40
diff -u -p -r1.40 iked.c
--- iked.c 15 Jan 2020 20:30:32 -0000 1.40
+++ iked.c 16 Jan 2020 18:15:00 -0000
@@ -57,7 +57,7 @@ usage(void)
extern char *__progname;
fprintf(stderr, "usage: %s [-dnSTtv] [-D macro=value] "
- "[-f file]\n", __progname);
+ "[-f file] [-p udpencap_port]\n", __progname);
exit(1);
}
@@ -67,13 +67,14 @@ main(int argc, char *argv[])
int c;
int debug = 0, verbose = 0;
int opts = 0;
+ in_port_t port = IKED_NATT_PORT;
const char *conffile = IKED_CONFIG;
struct iked *env = NULL;
struct privsep *ps;
log_init(1, LOG_DAEMON);
- while ((c = getopt(argc, argv, "6dD:nf:vSTt")) != -1) {
+ while ((c = getopt(argc, argv, "6dD:nf:p:vSTt")) != -1) {
switch (c) {
case '6':
log_warnx("the -6 option is ignored and will be "
@@ -107,6 +108,10 @@ main(int argc, char *argv[])
case 't':
opts |= IKED_OPT_NATT;
break;
+ case 'p':
+ port = atoi(optarg);
+ opts |= IKED_OPT_NATT;
+ break;
default:
usage();
}
@@ -121,6 +126,7 @@ main(int argc, char *argv[])
fatal("calloc: env");
env->sc_opts = opts;
+ env->sc_nattport = port;
ps = &env->sc_ps;
ps->ps_env = env;
@@ -221,18 +227,18 @@ parent_configure(struct iked *env)
bzero(&ss, sizeof(ss));
ss.ss_family = AF_INET;
- if ((env->sc_opts & IKED_OPT_NATT) == 0)
+ if ((env->sc_opts & IKED_OPT_NATT) == 0 && env->sc_nattport ==
IKED_NATT_PORT)
config_setsocket(env, &ss, ntohs(IKED_IKE_PORT), PROC_IKEV2);
if ((env->sc_opts & IKED_OPT_NONATT) == 0)
- config_setsocket(env, &ss, ntohs(IKED_NATT_PORT), PROC_IKEV2);
+ config_setsocket(env, &ss, ntohs(env->sc_nattport), PROC_IKEV2);
bzero(&ss, sizeof(ss));
ss.ss_family = AF_INET6;
- if ((env->sc_opts & IKED_OPT_NATT) == 0)
+ if ((env->sc_opts & IKED_OPT_NATT) == 0 && env->sc_nattport ==
IKED_NATT_PORT)
config_setsocket(env, &ss, ntohs(IKED_IKE_PORT), PROC_IKEV2);
if ((env->sc_opts & IKED_OPT_NONATT) == 0)
- config_setsocket(env, &ss, ntohs(IKED_NATT_PORT), PROC_IKEV2);
+ config_setsocket(env, &ss, ntohs(env->sc_nattport), PROC_IKEV2);
/*
* pledge in the parent process:
@@ -254,6 +260,7 @@ parent_configure(struct iked *env)
config_setmobike(env);
config_setfragmentation(env);
+ config_setnattport(env);
config_setcoupled(env, env->sc_decoupled ? 0 : 1);
config_setocsp(env);
/* Must be last */
@@ -287,6 +294,7 @@ parent_reload(struct iked *env, int rese
config_setmobike(env);
config_setfragmentation(env);
+ config_setnattport(env);
config_setcoupled(env, env->sc_decoupled ? 0 : 1);
config_setocsp(env);
/* Must be last */
Index: iked.h
===================================================================
RCS file: /cvs/src/sbin/iked/iked.h,v
retrieving revision 1.131
diff -u -p -r1.131 iked.h
--- iked.h 14 Jan 2020 22:28:29 -0000 1.131
+++ iked.h 16 Jan 2020 18:15:01 -0000
@@ -662,6 +662,7 @@ struct iked {
uint32_t sc_opts;
uint8_t sc_passive;
uint8_t sc_decoupled;
+ in_port_t sc_nattport;
uint8_t sc_mobike; /* MOBIKE */
uint8_t sc_frag; /* fragmentation */
@@ -767,6 +768,8 @@ int config_setmobike(struct iked *);
int config_getmobike(struct iked *, struct imsg *);
int config_setfragmentation(struct iked *);
int config_getfragmentation(struct iked *, struct imsg *);
+int config_setnattport(struct iked *);
+int config_getnattport(struct iked *, struct imsg *);
/* policy.c */
void policy_init(struct iked *);
Index: ikev2.c
===================================================================
RCS file: /cvs/src/sbin/iked/ikev2.c,v
retrieving revision 1.187
diff -u -p -r1.187 ikev2.c
--- ikev2.c 8 Jan 2020 09:14:03 -0000 1.187
+++ ikev2.c 16 Jan 2020 18:15:03 -0000
@@ -213,6 +213,8 @@ ikev2_dispatch_parent(int fd, struct pri
return (config_getmobike(env, imsg));
case IMSG_CTL_FRAGMENTATION:
return (config_getfragmentation(env, imsg));
+ case IMSG_CTL_NATTPORT:
+ return (config_getnattport(env, imsg));
case IMSG_UDP_SOCKET:
return (config_getsocket(env, imsg, ikev2_msg_cb));
case IMSG_PFKEY_SOCKET:
@@ -1084,7 +1086,7 @@ ikev2_init_ike_sa_peer(struct iked *env,
}
if ((env->sc_opts & IKED_OPT_NONATT) == 0) {
- if (ntohs(port) == IKED_NATT_PORT) {
+ if (ntohs(port) == env->sc_nattport) {
/* Enforce NAT-T on the initiator side */
log_debug("%s: enforcing NAT-T", __func__);
req.msg_natt = sa->sa_natt = sa->sa_udpencap = 1;
Index: ikev2_msg.c
===================================================================
RCS file: /cvs/src/sbin/iked/ikev2_msg.c,v
retrieving revision 1.60
diff -u -p -r1.60 ikev2_msg.c
--- ikev2_msg.c 28 Nov 2019 12:16:28 -0000 1.60
+++ ikev2_msg.c 16 Jan 2020 18:15:03 -0000
@@ -78,7 +78,7 @@ ikev2_msg_cb(int fd, short event, void *
return;
if (socket_getport((struct sockaddr *)&msg.msg_local) ==
- IKED_NATT_PORT) {
+ env->sc_nattport) {
if (memcmp(&natt, buf, sizeof(natt)) != 0)
return;
msg.msg_natt = 1;
Index: types.h
===================================================================
RCS file: /cvs/src/sbin/iked/types.h,v
retrieving revision 1.31
diff -u -p -r1.31 types.h
--- types.h 14 Jan 2020 22:28:29 -0000 1.31
+++ types.h 16 Jan 2020 18:15:03 -0000
@@ -104,6 +104,7 @@ enum imsg_type {
IMSG_CTL_PASSIVE,
IMSG_CTL_MOBIKE,
IMSG_CTL_FRAGMENTATION,
+ IMSG_CTL_NATTPORT,
IMSG_COMPILE,
IMSG_UDP_SOCKET,
IMSG_PFKEY_SOCKET,
