Hi Patrick:
	Looks like you're right on that one.  I went back and looked at
the original NetBSD source
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet/in_proto.c

We originally started out with a much earlier rev of NetBSD. It looks
like the NAT traversal fix was introduced in Rev 1.68.  We must have
missed that during one of the upgrade stages and didn't subsequently fix
it.  I'll get a PR created for it and we'll take a quick look to see if
there was a reason for not picking it up.

	Robert.

-----Original Message-----
From: Patrick Maheral [mailto:community-noreply@qnx.com] 
Sent: Tuesday, January 27, 2009 11:24 AM
To: technology-networking
Subject: UDP encapsulation and NAT-Traversal

I've been trying to set up IPSec NAT-Traversal, but kept seeing the
following messages from racoon:

INFO: 10.0.0.6[4500] used as isakmp port (fd=6)
WARNING: setsockopt(UDP_ENCAP_ESPINUDP): UDP_ENCAP Invalid argument
INFO: 10.0.0.6[500] used as isakmp port (fd=7)
WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): UDP_ENCAP Invalid
argument
WARNING: NAT-T is enabled in at least one remote{} section,
WARNING: but no 'isakmp_natt' address was specified!

I finally tracked down the reason for the "Invalid argument" error.  In

    sys/netinet/in_proto.c (line 478)

the SOCK_DGRAM initialized value of *pr_ctloutput is ip_ctloutput, but I
think it should be udp_ctloutput.  udp_ctloutput will call ip_ctloutput
for non-UDP socket level options, so no functionality should be lost by
changing the initializer.

After making the change, racoon is able to set the UDP_ENCAP_ESPINUDP*
socket options.   I will continue testing and report back.  Mean while,
if anyone has suggestions, warnings, etc., please post them.

Regards,
Patrick

_______________________________________________
Technology
http://community.qnx.com/sf/go/post20856

For future reference, PR 64952 has been created to track this.  (And
thanks for tracking down the problem for us! It's very much
appreciated.)

	Robert.


-----Original Message-----
From: Robert Craig 
Sent: Tuesday, January 27, 2009 11:46 AM
To: 'post20856@community.qnx.com'
Subject: RE: UDP encapsulation and NAT-Traversal

Hi Patrick:
	Looks like you're right on that one.  I went back and looked at
the original NetBSD source
http://cvsweb.netbsd.org/bsdweb.cgi/src/sys/netinet/in_proto.c

We originally started out with a much earlier rev of NetBSD. It looks
like the NAT traversal fix was introduced in Rev 1.68.  We must have
missed that during one of the upgrade stages and didn't subsequently fix
it.  I'll get a PR created for it and we'll take a quick look to see if
there was a reason for not picking it up.

	Robert.

-----Original Message-----
From: Patrick Maheral [mailto:community-noreply@qnx.com]
Sent: Tuesday, January 27, 2009 11:24 AM
To: technology-networking
Subject: UDP encapsulation and NAT-Traversal

I've been trying to set up IPSec NAT-Traversal, but kept seeing the
following messages from racoon:

INFO: 10.0.0.6[4500] used as isakmp port (fd=6)
WARNING: setsockopt(UDP_ENCAP_ESPINUDP): UDP_ENCAP Invalid argument
INFO: 10.0.0.6[500] used as isakmp port (fd=7)
WARNING: setsockopt(UDP_ENCAP_ESPINUDP_NON_IKE): UDP_ENCAP Invalid
argument
WARNING: NAT-T is enabled in at least one remote{} section,
WARNING: but no 'isakmp_natt' address was specified!

I finally tracked down the reason for the "Invalid argument" error.  In

    sys/netinet/in_proto.c (line 478)

the SOCK_DGRAM initialized value of *pr_ctloutput is ip_ctloutput, but I
think it should be udp_ctloutput.  udp_ctloutput will call ip_ctloutput
for non-UDP socket level options, so no functionality should be lost by
changing the initializer.

After making the change, racoon is able to set the UDP_ENCAP_ESPINUDP*
socket options.   I will continue testing and report back.  Mean while,
if anyone has suggestions, warnings, etc., please post them.

Regards,
Patrick

_______________________________________________
Technology
http://community.qnx.com/sf/go/post20856