284240 – net-misc/openswan-2.4.15 (and others) - please add patch as use flag for allowing MS ISA bad proposal (ALLOW_MICROSOFT_BAD_PROPOSAL)

Bug 284240 - net-misc/openswan-2.4.15 (and others) - please add patch as use flag for allowing MS ISA bad proposal (ALLOW_MICROSOFT_BAD_PROPOSAL)

Summary: net-misc/openswan-2.4.15 (and others) - please add patch as use flag for allo...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Unspecified (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Alin Năstac (RETIRED)

URL:	http://www.jacco2.dds.nl/networking/p...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2009-09-09 08:16 UTC by Tom Kerremans
Modified:	2009-09-11 18:58 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Tom Kerremans 2009-09-09 08:16:39 UTC

This patch would allow Openswan to allow a bad ip-address proposal offered by an MS Windows ISA server L2tp/Ipsec server.
The code is actually already in Openswan, it just needs to be activated in the Makefile for pluto by adding -DALLOW_MICROSOFT_BAD_PROPOSAL \
adding it through a USE flag would be a nice thing.
This happens only when a client is behind a nat-connection

Reproducible: Always

Steps to Reproduce:
1. Set up an IPSec session with an MS ISA with client being behind a natted connection
2. In Quick mode, the secondary IPsec phase you will see something like: "#2: our client subnet returned doesn't match my proposal - us:192.168.5.49/
32 vs them:94.225.227.180/32"

Actual Results:  
Blocks when trying to connect from natted client

Expected Results:  
With the patch applied, it returns this and continues

#2: Allowing questionable proposal anyway [ALLOW_MICROSOFT_BAD_PROPOSAL]

Succesfully tested with Openswan 2.4.15 in a local portage overlay
Added "epatch "${FILESDIR}"/openswan-allow_MS_bad_proposal.patch" to openswan-2.4.15.ebuild on line 57
Patch below. Source: http://www.jacco2.dds.nl/networking/patches/openswan-allow_MS_bad_proposal.patch

--- programs/pluto/Makefile.org	2007-11-06 19:56:26.000000000 +0100
+++ programs/pluto/Makefile	2008-02-23 20:10:13.000000000 +0100
@@ -244,6 +244,7 @@
 	-DGCC_LINT \
 	-DUSE_AES -DUSE_3DES \
 	-DIKE_ALG -DKERNEL_ALG -DDB_CONTEXT \
+	-DALLOW_MICROSOFT_BAD_PROPOSAL \
 	${AGGRESSIVE_DEFS} \
 	${XAUTH_DEFS} ${XAUTHPAM_DEFS} \
 	${NAT_DEFS} ${CURL_DEFS}\

Comment 1 Tom Kerremans 2009-09-09 08:21:25 UTC

It's actually not a bug, it's a feature request, sorry.

Comment 2 Wormo (RETIRED) gentoo-dev

2009-09-11 00:04:43 UTC

Boy, this request sure brings back bad memories. Trying to integrate with broken MS IPSEC support is truly painful.

Assigning your feature request to openswan maintainer, and you have my sympathies ;)

Comment 3 Alin Năstac (RETIRED) gentoo-dev

2009-09-11 18:58:54 UTC

Yuck... I'm disgusted by this compiler switch for which upstream didn't had the decency of having a USE switch in the main Makefile. Anyway, Gentoo strive to let users make their choice, so I'll do what you're asking for. Just don't expect me to test this.
 
Fixed in 2.4.15-r1 and 2.6.23 by applying the patch when ms-bad-proposal USE flag is enabled.