[vpn-devel] [Patch] Interface / address issues.

Zephaniah E. Loss-Cutler-Hull zhull at jetpay.com
Thu Apr 8 17:32:57 CDT 2010 

So, our setup:

Cisco PIX on the remote end, RSA key exchange plus xauth.

On the local end is a Linux box, x86-64 Ubuntu 9.10, with a 2.6.33.2 kernel.

With stock ike we manage to connect, the tunnel gets setup, and tcpdump
shows that packets we send reach the other side, and that we get the
decrypted response packets back on the primary interface (eth0 in our
main test case), and then the kernel drops those packets on the floor.

Regardless of iptables setup, packets coming in the wrong interface are
discarded, and this renders ike non-functional.

From our prospective, the easiest fix was the attached patch (against
SVN head), which allows the specification of a script to run to do the
adding/removing of addresses, along with some modifications to allow
arbitrary interface strings to be passed through.

This script uses ip from the iproute package to add and remove addresses
from the given interface, it also understands the interface 'default' to
mean the interface attached to the default route.

Due to things being somewhat intertwined in the diff, this patch also
fixes a typo in vpna/sites.ui (adpter vs adapter, with the code
expecting adapter), and throws the UpdateAuthentication call into
vpna/sites.cpp (ikeaSite::load) between parsing auth-method and
ident-client-type.

An example script is attached as well.

This has been tested, and works quite well in our environment.

This is all Copyright (C) 2010 JetPay, LLC, under the license currently
at the top of each patched file.

(A more permissive license should be possible if Screw Soft needs it.)

Zephaniah E. Loss-Cutler-Hull.
Sr. Engineer.
JetPay, LLC.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: jp_ike.diff
Type: text/x-patch
Size: 12538 bytes
Desc: not available
URL: <https://lists.shrew.net/pipermail/vpn-devel/attachments/20100408/5a93b650/attachment-0004.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.shrew.net/pipermail/vpn-devel/attachments/20100408/5a93b650/attachment-0005.bin>

More information about the vpn-devel mailing list