An ugly hack which fixes this problem is provided at Nokia VPN (N97) -> raccon -> Nat-T. Since this is the only fix available, we'll go with ugly ...
Basically, the racoon daemon has to be complied without RFC nat-t support and one source line has to be changed.
I will spell out the procedures outlined above:
Using actual "raw" sources
To compile from source, get the ipsec-tools tarball from the ipsec-tools project page.for compilation I used the following configure options:
./configure \ --enable-hybrid \ --enable-frag \ --enable-gssapi \ --enable-stats \ --enable-dpd \ --enable-fastquit \ --disable-ipv6 \ --enable-natt \ --enable-natt-versions=0,1,2,3,4,5,6,7,8 \ --enable-security-context=kernelnote the "--enable-natt-versions=0,1,2,3,4,5,6,7,8" switch
before compiling change one line in the file ipsec-tools-0.7.1/src/racoon/nattraversal.c:
--- ipsec-tools-0.7.1/src/racoon/nattraversal.c 2009-12-15 08:01:36.000000000 +0100 +++ ipsec-tools-0.7.1.patched/src/racoon/nattraversal.c 2009-10-11 13:39:36.000000000 +0200 @@ -314,7 +314,7 @@ return; } - if (iph1->natt_options->version < vid_numeric) + if (iph1->natt_options->version == 0) if (natt_fill_options (iph1->natt_options, vid_numeric) == 0) iph1->natt_flags |= NAT_ANNOUNCED; }
You can now compile and install. The resulting racoon daemon will now accept nat-t connections from a Nokia VPN client
Using Debian sources
apt-get install devscripts build-essential fakeroot apt-get build-dep racoon apt-get source racoon cd ipsec-tools* dch -l local nokia
- edit debian/rules and add the --enable-natt-versions=0,1,2,3,4,5,6,7,8 option to configure
- patch src/racoon/nattraversal.c as per above
debuild -us -uc dpkg -i ../*.deb
No comments:
Post a Comment