Hi,
I would like to test IPsec with NAT-T. For that it would be useful
to set the udpencap flag and port of a SA. I added that to
ipseectl(8).
ok?
bluhm
Index: sbin/ipsecctl/ipsec.conf.5
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sbin/ipsecctl/ipsec.conf.5,v
retrieving revision 1.156
diff -u -p -r1.156 ipsec.conf.5
--- sbin/ipsecctl/ipsec.conf.5 10 Nov 2019 20:51:52 -0000 1.156
+++ sbin/ipsecctl/ipsec.conf.5 6 Feb 2020 00:00:06 -0000
@@ -890,6 +890,10 @@ and
The SPI identifies a specific SA.
.Ar number
is a 32-bit value and needs to be unique.
+.It Ic udpencap Op Ic port Ar dport
+For NAT-Traversal encapsulate the IPsec traffic in UDP.
+The port number of the peer can be set to
+.Ar dport .
.It Ic auth Ar algorithm
For ESP and AH
an authentication algorithm can be specified.
Index: sbin/ipsecctl/ipsecctl.h
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sbin/ipsecctl/ipsecctl.h,v
retrieving revision 1.73
diff -u -p -r1.73 ipsecctl.h
--- sbin/ipsecctl/ipsecctl.h 20 Nov 2017 10:51:24 -0000 1.73
+++ sbin/ipsecctl/ipsecctl.h 5 Feb 2020 20:42:45 -0000
@@ -208,6 +208,8 @@ struct ipsec_rule {
u_int8_t ikemode;
u_int8_t p1ie;
u_int8_t p2ie;
+ u_int8_t udpencap;
+ u_int16_t udpdport;
u_int16_t sport;
u_int16_t dport;
u_int32_t spi;
Index: sbin/ipsecctl/parse.y
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sbin/ipsecctl/parse.y,v
retrieving revision 1.177
diff -u -p -r1.177 parse.y
--- sbin/ipsecctl/parse.y 26 Aug 2019 18:53:58 -0000 1.177
+++ sbin/ipsecctl/parse.y 5 Feb 2020 20:46:00 -0000
@@ -205,7 +205,8 @@ int validate_sa(u_int32_t, u_int8_t,
struct ipsec_transforms *, struct ipsec_key *,
struct ipsec_key *, u_int8_t);
struct ipsec_rule *create_sa(u_int8_t, u_int8_t, struct ipsec_hosts *,
- u_int32_t, struct ipsec_transforms *,
+ u_int32_t, u_int8_t, u_int16_t,
+ struct ipsec_transforms *,
struct ipsec_key *, struct ipsec_key *);
struct ipsec_rule *reverse_sa(struct ipsec_rule *, u_int32_t,
struct ipsec_key *, struct ipsec_key *);
@@ -257,6 +258,10 @@ typedef struct {
u_int32_t spiin;
} spis;
struct {
+ u_int8_t encap;
+ u_int16_t port;
+ } udpencap;
+ struct {
struct ipsec_key *keyout;
struct ipsec_key *keyin;
} authkeys;
@@ -281,7 +286,7 @@ typedef struct {
%token AUTHKEY ENCKEY FILENAME AUTHXF ENCXF ERROR IKE MAIN QUICK AGGRESSIVE
%token PASSIVE ACTIVE ANY IPIP IPCOMP COMPXF TUNNEL TRANSPORT DYNAMIC LIFETIME
%token TYPE DENY BYPASS LOCAL PROTO USE ACQUIRE REQUIRE DONTACQ GROUP PORT TAG
-%token INCLUDE BUNDLE
+%token INCLUDE BUNDLE UDPENCAP
%token <v.string> STRING
%token <v.number> NUMBER
%type <v.string> string
@@ -300,6 +305,7 @@ typedef struct {
%type <v.ids> ids
%type <v.id> id
%type <v.spis> spispec
+%type <v.udpencap> udpencap
%type <v.authkeys> authkeyspec
%type <v.enckeys> enckeyspec
%type <v.string> bundlestring
@@ -347,7 +353,7 @@ tcpmd5rule : TCPMD5 hosts spispec authke
struct ipsec_rule *r;
r = create_sa(IPSEC_TCPMD5, IPSEC_TRANSPORT, &$2,
- $3.spiout, NULL, $4.keyout, NULL);
+ $3.spiout, 0, 0, NULL, $4.keyout, NULL);
if (r == NULL)
YYERROR;
@@ -357,17 +363,17 @@ tcpmd5rule : TCPMD5 hosts spispec authke
}
;
-sarule : satype tmode hosts spispec transforms authkeyspec
+sarule : satype tmode hosts spispec udpencap transforms authkeyspec
enckeyspec bundlestring {
struct ipsec_rule *r;
- r = create_sa($1, $2, &$3, $4.spiout, $5, $6.keyout,
- $7.keyout);
+ r = create_sa($1, $2, &$3, $4.spiout, $5.encap, $5.port,
+ $6, $7.keyout, $8.keyout);
if (r == NULL)
YYERROR;
- if (expand_rule(r, NULL, 0, $4.spiin, $6.keyin,
- $7.keyin, $8))
+ if (expand_rule(r, NULL, 0, $4.spiin, $7.keyin,
+ $8.keyin, $9))
errx(1, "sarule: expand_rule");
}
;
@@ -668,6 +674,19 @@ spispec : SPI STRING {
}
;
+udpencap : /* empty */ {
+ $$.encap = 0;
+ }
+ | UDPENCAP {
+ $$.encap = 1;
+ $$.port = 0;
+ }
+ | UDPENCAP PORT NUMBER {
+ $$.encap = 1;
+ $$.port = $3;
+ }
+ ;
+
transforms : {
if ((ipsec_transforms = calloc(1,
sizeof(struct ipsec_transforms))) == NULL)
@@ -1014,6 +1033,7 @@ lookup(char *s)
{ "transport", TRANSPORT },
{ "tunnel", TUNNEL },
{ "type", TYPE },
+ { "udpencap", UDPENCAP },
{ "use", USE }
};
const struct keywords *p;
@@ -2209,6 +2229,8 @@ copyrule(struct ipsec_rule *rule)
r->dport = rule->dport;
r->ikemode = rule->ikemode;
r->spi = rule->spi;
+ r->udpencap = rule->udpencap;
+ r->udpdport = rule->udpdport;
r->nr = rule->nr;
return (r);
@@ -2398,8 +2420,8 @@ add_sabundle(struct ipsec_rule *r, char
struct ipsec_rule *
create_sa(u_int8_t satype, u_int8_t tmode, struct ipsec_hosts *hosts,
- u_int32_t spi, struct ipsec_transforms *xfs, struct ipsec_key *authkey,
- struct ipsec_key *enckey)
+ u_int32_t spi, u_int8_t udpencap, u_int16_t udpdport,
+ struct ipsec_transforms *xfs, struct ipsec_key *authkey, struct ipsec_key
*enckey)
{
struct ipsec_rule *r;
@@ -2416,6 +2438,8 @@ create_sa(u_int8_t satype, u_int8_t tmod
r->src = hosts->src;
r->dst = hosts->dst;
r->spi = spi;
+ r->udpencap = udpencap;
+ r->udpdport = udpdport;
r->xfs = xfs;
r->authkey = authkey;
r->enckey = enckey;
@@ -2443,6 +2467,8 @@ reverse_sa(struct ipsec_rule *rule, u_in
reverse->src = copyhost(rule->dst);
reverse->dst = copyhost(rule->src);
reverse->spi = spi;
+ reverse->udpencap = rule->udpencap;
+ reverse->udpdport = rule->udpdport;
reverse->xfs = copytransforms(rule->xfs);
reverse->authkey = authkey;
reverse->enckey = enckey;
Index: sbin/ipsecctl/pfkey.c
===================================================================
RCS file: /data/mirror/openbsd/cvs/src/sbin/ipsecctl/pfkey.c,v
retrieving revision 1.61
diff -u -p -r1.61 pfkey.c
--- sbin/ipsecctl/pfkey.c 28 Jun 2019 13:32:44 -0000 1.61
+++ sbin/ipsecctl/pfkey.c 5 Feb 2020 23:47:18 -0000
@@ -49,6 +49,7 @@ static int pfkey_flow(int, u_int8_t, u_i
struct ipsec_auth *, u_int8_t);
static int pfkey_sa(int, u_int8_t, u_int8_t, u_int32_t,
struct ipsec_addr_wrap *, struct ipsec_addr_wrap *,
+ u_int8_t, u_int16_t,
struct ipsec_transforms *, struct ipsec_key *,
struct ipsec_key *, u_int8_t);
static int pfkey_sabundle(int, u_int8_t, u_int8_t, u_int8_t,
@@ -388,6 +389,7 @@ pfkey_flow(int sd, u_int8_t satype, u_in
static int
pfkey_sa(int sd, u_int8_t satype, u_int8_t action, u_int32_t spi,
struct ipsec_addr_wrap *src, struct ipsec_addr_wrap *dst,
+ u_int8_t encap, u_int16_t dport,
struct ipsec_transforms *xfs, struct ipsec_key *authkey,
struct ipsec_key *enckey, u_int8_t tmode)
{
@@ -395,6 +397,7 @@ pfkey_sa(int sd, u_int8_t satype, u_int8
struct sadb_sa sa;
struct sadb_address sa_src, sa_dst;
struct sadb_key sa_authkey, sa_enckey;
+ struct sadb_x_udpencap udpencap;
struct sockaddr_storage ssrc, sdst;
struct iovec iov[IOV_CNT];
ssize_t n;
@@ -541,6 +544,12 @@ pfkey_sa(int sd, u_int8_t satype, u_int8
sa_dst.sadb_address_len = (sizeof(sa_dst) + ROUNDUP(sdst.ss_len)) / 8;
sa_dst.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
+ if (encap) {
+ sa.sadb_sa_flags |= SADB_X_SAFLAGS_UDPENCAP;
+ udpencap.sadb_x_udpencap_exttype = SADB_X_EXT_UDPENCAP;
+ udpencap.sadb_x_udpencap_len = sizeof(udpencap) / 8;
+ udpencap.sadb_x_udpencap_port = htons(dport);
+ }
if (action == SADB_ADD && !authkey && !enckey && satype !=
SADB_X_SATYPE_IPCOMP && satype != SADB_X_SATYPE_IPIP) { /* XXX
ENCNULL */
warnx("no key specified");
@@ -592,6 +601,12 @@ pfkey_sa(int sd, u_int8_t satype, u_int8
smsg.sadb_msg_len += sa_dst.sadb_address_len;
iov_cnt++;
+ if (encap) {
+ iov[iov_cnt].iov_base = &udpencap;
+ iov[iov_cnt].iov_len = sizeof(udpencap);
+ smsg.sadb_msg_len += udpencap.sadb_x_udpencap_len;
+ iov_cnt++;
+ }
if (authkey) {
/* authentication key */
iov[iov_cnt].iov_base = &sa_authkey;
@@ -1170,12 +1185,12 @@ pfkey_ipsec_establish(int action, struct
switch (action) {
case ACTION_ADD:
ret = pfkey_sa(fd, satype, SADB_ADD, r->spi,
- r->src, r->dst, r->xfs, r->authkey, r->enckey,
- r->tmode);
+ r->src, r->dst, r->udpencap, r->udpdport,
+ r->xfs, r->authkey, r->enckey, r->tmode);
break;
case ACTION_DELETE:
ret = pfkey_sa(fd, satype, SADB_DELETE, r->spi,
- r->src, r->dst, r->xfs, NULL, NULL, r->tmode);
+ r->src, r->dst, 0, 0, r->xfs, NULL, NULL, r->tmode);
break;
default:
return -1;
