Patrick Maheral
|
UDP encapsulation and NAT-Traversal
|
Patrick Maheral
01/27/2009 11:23 AM
post20856
|
UDP encapsulation and NAT-Traversal
I've been trying to set up IPSec NAT-Traversal, but kept seeing the following messages from racoon:
INFO: 10.0.0.6[4500] used as isakmp port (fd=6)
WARNING: setsockopt(UDP_ENCAP_ESPINUDP): UDP_ENCAP Invalid argument
INFO: 10.0.0.6[500] used as isakmp port (fd=7)
WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): UDP_ENCAP Invalid argument
WARNING: NAT-T is enabled in at least one remote{} section,
WARNING: but no 'isakmp_natt' address was specified!
I finally tracked down the reason for the "Invalid argument" error. In
sys/netinet/in_proto.c (line 478)
the SOCK_DGRAM initialized value of *pr_ctloutput is ip_ctloutput, but I think it should be udp_ctloutput.
udp_ctloutput will call ip_ctloutput for non-UDP socket level options, so no functionality should be lost by changing
the initializer.
After making the change, racoon is able to set the UDP_ENCAP_ESPINUDP* socket options. I will continue testing and
report back. Mean while, if anyone has suggestions, warnings, etc., please post them.
Regards,
Patrick
|
|
|