This patch would allow Openswan to allow a bad ip-address proposal offered by an MS Windows ISA server L2tp/Ipsec server. The code is actually already in Openswan, it just needs to be activated in the Makefile for pluto by adding -DALLOW_MICROSOFT_BAD_PROPOSAL \ adding it through a USE flag would be a nice thing. This happens only when a client is behind a nat-connection Reproducible: Always Steps to Reproduce: 1. Set up an IPSec session with an MS ISA with client being behind a natted connection 2. In Quick mode, the secondary IPsec phase you will see something like: "#2: our client subnet returned doesn't match my proposal - us:192.168.5.49/ 32 vs them:94.225.227.180/32" Actual Results: Blocks when trying to connect from natted client Expected Results: With the patch applied, it returns this and continues #2: Allowing questionable proposal anyway [ALLOW_MICROSOFT_BAD_PROPOSAL] Succesfully tested with Openswan 2.4.15 in a local portage overlay Added "epatch "${FILESDIR}"/openswan-allow_MS_bad_proposal.patch" to openswan-2.4.15.ebuild on line 57 Patch below. Source: http://www.jacco2.dds.nl/networking/patches/openswan-allow_MS_bad_proposal.patch --- programs/pluto/Makefile.org 2007-11-06 19:56:26.000000000 +0100 +++ programs/pluto/Makefile 2008-02-23 20:10:13.000000000 +0100 @@ -244,6 +244,7 @@ -DGCC_LINT \ -DUSE_AES -DUSE_3DES \ -DIKE_ALG -DKERNEL_ALG -DDB_CONTEXT \ + -DALLOW_MICROSOFT_BAD_PROPOSAL \ ${AGGRESSIVE_DEFS} \ ${XAUTH_DEFS} ${XAUTHPAM_DEFS} \ ${NAT_DEFS} ${CURL_DEFS}\
It's actually not a bug, it's a feature request, sorry.
Boy, this request sure brings back bad memories. Trying to integrate with broken MS IPSEC support is truly painful. Assigning your feature request to openswan maintainer, and you have my sympathies ;)
Yuck... I'm disgusted by this compiler switch for which upstream didn't had the decency of having a USE switch in the main Makefile. Anyway, Gentoo strive to let users make their choice, so I'll do what you're asking for. Just don't expect me to test this. Fixed in 2.4.15-r1 and 2.6.23 by applying the patch when ms-bad-proposal USE flag is enabled.