| [Question] [Openswan] Gặp vấn đề khi cấu hình VPN giữa Linux và Fortigate? |
17/03/2009 06:06:46 (+0700) | #1 | 173440 |
![[Avatar]](/hvaonline/images/avatar/3f44f3018ff71ff4a7d22a98f3babb55.png "[Avatar]")
|
quanta
Moderator
|
Joined: 28/07/2006 14:44:21
Messages: 7265
Location: $ locate `whoami`
Offline
|
|
Chào mọi người,
Mình gặp chút vấn đề khi cấu hình Openswan để VPN từ Linux đến Fortigate.
Sơ đồ kết nối của mình như sau:
Linux box <----> ADSL Modem <---> Internet <---> Fortigate Firewall
Mình cài Openswan với apt-get nên IPsec Stack mặc định là NETKEY:
Code:
$ ipsec version
Linux Openswan U2.4.12/K2.6.27-7-generic (netkey)
See `ipsec --copyright' for copyright information.
File cấu hình ipsec.conf mình thêm vào một dòng:
include /etc/ipsec.d/*.conf
File cấu hình định nghĩa kết nối đến Fortigate /etc/ipsec.d/forti.conf:
Code:
conn forti
leftxauthclient=yes
rightxauthserver=yes
left=%defaultroute
leftsourceip=192.168.1.7
leftnexthop=192.168.1.1
leftsubnet=192.168.1.0/24
right=x.x.x.x
ike=3des-sha1
ikelifetime=28800s
esp=3des-md5
keylife=3600s
keyexchange=ike
authby=secret
compress=yes
auto=add
Mình sử dụng preshared keys để xác thực. File /etc/ipsec.secrets mình thêm vào dòng sau:
include /etc/ipsec.d/forti.secrets
File lưu preshared keys /etc/ipsec.d/forti.secrets:
Code:
192.168.1.7 x.x.x.x : PSK "<preshared_keys>"
Kiểm tra lại trước khi start VPN:
Code:
$ sudo ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.12/K2.6.27-7-generic (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_wwwects [OK]
NETKEY detected, testing for disabled ICMP accept_wwwects [OK]
Checking for RSA private key (/etc/ipsec.d/hostkey.secrets) [OK]
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [N/A]
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
Mình start thử VPN:
$ sudo ipsec auto --up forti
[sudo] password for quanta:
Name enter: quan.ta
Enter secret:
104 "forti" #3: STATE_MAIN_I1: initiate
003 "forti" #3: received Vendor ID payload [RFC 3947] method set to=109
003 "forti" #3: received Vendor ID payload [Dead Peer Detection]
003 "forti" #3: received Vendor ID payload [XAUTH]
106 "forti" #3: STATE_MAIN_I2: sent MI2, expecting MR2
003 "forti" #3: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
108 "forti" #3: STATE_MAIN_I3: sent MI3, expecting MR3
004 "forti" #3: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
041 "forti" #3: forti prompt for Username:
040 "forti" #3: forti prompt for Password:
004 "forti" #3: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
004 "forti" #3: STATE_XAUTH_I1: XAUTH client - awaiting CFG_set
117 "forti" #4: STATE_QUICK_I1: initiate
003 "forti" #4: ignoring informational payload, type IPSEC_RESPONDER_LIFETIME
004 "forti" #4: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xa81e9489 <0x958a0e67 xfrm=3DES_0-HMAC_MD5 NATD=xxxx:4500 DPD=none}
Log file /var/log/auth.log hiển thị thế này:
Mar 16 16:22:54 quanta-laptop pluto[7629]: "forti" #3: initiating Main Mode
Mar 16 16:22:54 quanta-laptop pluto[7629]: "forti" #3: received Vendor ID payload [RFC 3947] method set to=109
Mar 16 16:22:54 quanta-laptop pluto[7629]: "forti" #3: received Vendor ID payload [Dead Peer Detection]
Mar 16 16:22:54 quanta-laptop pluto[7629]: "forti" #3: received Vendor ID payload [XAUTH]
Mar 16 16:22:54 quanta-laptop pluto[7629]: "forti" #3: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Mar 16 16:22:54 quanta-laptop pluto[7629]: "forti" #3: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Mar 16 16:22:54 quanta-laptop pluto[7629]: "forti" #3: STATE_MAIN_I2: sent MI2, expecting MR2
Mar 16 16:22:54 quanta-laptop pluto[7629]: "forti" #3: I did not send a certificate because I do not have one.
Mar 16 16:22:54 quanta-laptop pluto[7629]: "forti" #3: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
Mar 16 16:22:54 quanta-laptop pluto[7629]: "forti" #3: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Mar 16 16:22:54 quanta-laptop pluto[7629]: "forti" #3: STATE_MAIN_I3: sent MI3, expecting MR3
Mar 16 16:22:54 quanta-laptop pluto[7629]: "forti" #3: Main mode peer ID is ID_IPV4_ADDR: 'xxxx'
Mar 16 16:22:54 quanta-laptop pluto[7629]: "forti" #3: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Mar 16 16:22:54 quanta-laptop pluto[7629]: "forti" #3: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
Mar 16 16:22:54 quanta-laptop pluto[7629]: "forti" #3: XAUTH username requested, but no file descriptor available for prompt
Mar 16 16:22:54 quanta-laptop pluto[7629]: "forti" #3: sending encrypted notification CERTIFICATE_UNAVAILABLE to xxxx:4500
Mar 16 16:23:04 quanta-laptop pluto[7629]: "forti" #2: IPsec SA expired (LATEST!)
Kiểm tra tình trạng kết nối:
$ sudo ipsec auto --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.1.7
000 interface eth0/eth0 192.168.1.7
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=(null), ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=(null), ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,4,36} trans={0,4,648} attrs={0,4,432}
000
000 "forti": 192.168.1.0/24===192.168.1.7[XC+S=C]---192.168.1.1...xxxx[XS+S=C]; erouted; eroute owner: #4
000 "forti": srcip=192.168.1.7; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "forti": ike_life: 28800s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "forti": policy: PSK+ENCRYPT+COMPRESS+TUNNEL+PFS+UP; prio: 24,32; interface: eth0; encap: esp;
000 "forti": newest ISAKMP SA: #3; newest IPsec SA: #4;
000 "forti": IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)-MODP1536(5), 3DES_CBC(5)_000-SHA1(2)-MODP1024(2); flags=strict
000 "forti": IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5), 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "forti": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1536
000 "forti": ESP algorithms wanted: 3DES(3)_000-MD5(1); flags=strict
000 "forti": ESP algorithms loaded: 3DES(3)_000-MD5(1); flags=strict
000 "forti": ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<Phase1>
000
000 #4: "forti":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 1740s; newest IPSEC; eroute owner
000 #4: "forti" esp.a81e9489@xxxx esp.958a0e67@192.168.1.7 tun.0@xxxx tun.0@192.168.1.7
000 #3: "forti":4500 STATE_XAUTH_I1 (XAUTH client - awaiting CFG_set); EVENT_SA_REPLACE in 2297s; newest ISAKMP; lastdpd=1s(seq in:0 out:0)
000
Thử traceroute nhưng không có kết quả:
Code:
$ traceroute xxxx
traceroute to xxxx, 30 hops max, 40 byte packets
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
Sniff vài packet trên eth0 thì được:
$ sudo tcpdump -vv -n -i eth0 host xxxx
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
16:44:49.559172 IP (tos 0x0, ttl 54, id 34931, offset 0, flags [none], proto UDP (17), length 124) xxxx.4500 > 192.168.1.7.4500: NONESP-encap: isakmp 1.0 msgid cookie ->: phase 2/others ? inf[E]: [encrypted hash]
16:44:49.560333 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 116) 192.168.1.7.4500 > xxxx.4500: NONESP-encap: isakmp 1.0 msgid cookie ->: phase 2/others ? inf[E]: [encrypted hash]
Tóm lại là mình chưa VPN được. Bạn nào giúp mình với. Cần thông tin gì thêm mình sẽ cung cấp.
Cảm ơn mọi người. |
|
| Let's build on a great foundation! |
|
 |
|
| [Question] Re: [Openswan] Gặp vấn đề khi cấu hình VPN giữa Linux và Fortigate? |
17/03/2009 07:49:57 (+0700) | #2 | 173455 |
centos
Member
![[Minus]](/hvaonline/templates/viet/images/minus.gif "[Minus]") |
0 |
![[Plus]](/hvaonline/templates/viet/images/plus.gif "[Plus]")
|
|
Joined: 28/03/2008 17:13:12
Messages: 219
Offline
|
|
Không thấy an quanta đề cập gì đến cấu hình Fortigate firewall hết, bên em cũng đang sài một thằng firewall Fortigate nhưng khi dùng IPset để kết nối đến Vigor V3300v thì tất cả request từ bên ngoài vào hệ thống mạng của Fortigate đều không được.
Nên em nghĩ chưa hẳn là bị từ phía bên Trixbox, anh sử dụng VPN khác kết nối đến Fortigate xem sao |
|
|
|
|
| [Question] Re: [Openswan] Gặp vấn đề khi cấu hình VPN giữa Linux và Fortigate? |
19/03/2009 01:01:39 (+0700) | #3 | 173668 |
|
quanta
Moderator
|
Joined: 28/07/2006 14:44:21
Messages: 7265
Location: $ locate `whoami`
Offline
|
|
@centos: FortiClient trên Windows vẫn chạy bình thường.
Loay hoay với NETKEY không được, mình chuyển sang dùng KLIPS. Nhưng ngay bước đầu tiên patch NAT-T mình đã lại gặp vấn đề rồi.
Mình đang dùng openswan-2.6.20.tar.gz và linux-source-2.6.27.tar.bz2 (có sẵn trong /usr/src của Ubuntu).
Giải nén và tạo soft link:
cd /usr/src
tar zxvf openswan-2.6.20.tar.gz
tar jxvf linux-source-2.6.27.tar.bz2
ln -s linux-source-2.6.27 linux
Gán biến môi trường KERNELSRC:
export KERNELSRC=/usr/src/linux
Tạo patch file với:
cd openswan-2.6.20
make nattpatch > ../nat-t.patch
Nội dung file này:
Code:
cat nat-t.patch
if [ -f /usr/src/linux/Makefile ]; then \
make nattpatch2.6; \
else echo "Cannot determine Linux kernel version. Perhaps you need to set KERNELSRC? (eg: export KERNELSRC=/usr/src/linux-`uname -r`/)"; exit 1; \
fi;
make[1]: Entering directory `/usr/src/openswan-2.6.20'
packaging/utils/nattpatch 2.6
--- /dev/null Tue Mar 11 13:02:56 2003
+++ nat-t/include/net/xfrmudp.h Mon Feb 9 13:51:03 2004
@@ -0,0 +1,11 @@
+/*
+ * pointer to function for type that xfrm4_input wants, to permit
+ * decoupling of XFRM from udp.c
+ */
+#define HAVE_XFRM4_UDP_REGISTER
+
+typedef int (*xfrm4_rcv_encap_t)(struct sk_buff *skb, __u16 encap_type);
+extern int udp4_register_esp_rcvencap(xfrm4_rcv_encap_t func
+ , xfrm4_rcv_encap_t *oldfunc);
+extern int udp4_unregister_esp_rcvencap(xfrm4_rcv_encap_t func
+ , xfrm4_rcv_encap_t oldfunc);
--- /distros/kernel/linux-2.6.11.2/net/ipv4/Kconfig 2005-03-09 03:12:33.000000000 -0500
+++ swan26/net/ipv4/Kconfig 2005-04-04 18:46:13.000000000 -0400
@@ -351,2 +351,8 @@
+config IPSEC_NAT_TRAVERSAL
+ bool "IPSEC NAT-Traversal (KLIPS compatible)"
+ depends on INET
+ ---help---
+ Includes support for RFC3947/RFC3948 NAT-Traversal of ESP over UDP.
+
config IP_TCPDIAG
--- plain26/net/ipv4/udp.c.orig 2006-12-28 20:53:17.000000000 -0500
+++ plain26/net/ipv4/udp.c 2007-05-11 10:22:50.000000000 -0400
@@ -108,6 +108,7 @@
#include <net/inet_common.h>
#include <net/checksum.h>
#include <net/xfrm.h>
+#include <net/xfrmudp.h>
/*
* Snmp MIB for the UDP layer
@@ -881,6 +882,31 @@
sk_common_release(sk);
}
+#if defined(CONFIG_XFRM) || defined(CONFIG_IPSEC_NAT_TRAVERSAL)
+
+static xfrm4_rcv_encap_t xfrm4_rcv_encap_func = NULL;
+int udp4_register_esp_rcvencap(xfrm4_rcv_encap_t func
+ , xfrm4_rcv_encap_t *oldfunc)
+{
+ if(oldfunc != NULL) {
+ *oldfunc = xfrm4_rcv_encap_func;
+ }
+
+ xfrm4_rcv_encap_func = func;
+ return 0;
+}
+
+int udp4_unregister_esp_rcvencap(xfrm4_rcv_encap_t func, xfrm4_rcv_encap_t old)
+{
+ if(xfrm4_rcv_encap_func != func)
+ return -1;
+
+ xfrm4_rcv_encap_func = old;
+ return 0;
+}
+#endif /* CONFIG_XFRM_MODULE || CONFIG_IPSEC_NAT_TRAVERSAL */
+
+
/* return:
* 1 if the the UDP system should process it
* 0 if we should drop this packet
@@ -888,9 +914,9 @@
*/
static int udp_encap_rcv(struct sock * sk, struct sk_buff *skb)
{
-#ifndef CONFIG_XFRM
+#if !defined(CONFIG_XFRM) && !defined(CONFIG_IPSEC_NAT_TRAVERSAL)
return 1;
-#else
+#else /* either CONFIG_XFRM or CONFIG_IPSEC_NAT_TRAVERSAL */
struct udp_sock *up = udp_sk(sk);
struct udphdr *uh;
struct iphdr *iph;
@@ -1018,10 +1044,27 @@
return 0;
}
if (ret < 0) {
- /* process the ESP packet */
- ret = xfrm4_rcv_encap(skb, up->encap_type);
- UDP_INC_STATS_BH(UDP_MIB_INDATAGRAMS);
- return -ret;
+ if(xfrm4_rcv_encap_func != NULL)
+ ret = (*xfrm4_rcv_encap_func)(skb, up->encap_type);
+
+ switch(ret) {
+ case 1:
+ /* FALLTHROUGH to send-up */;
+ break;
+
+ case 0:
+ /* PROCESSED, free it */
+ UDP_INC_STATS_BH(UDP_MIB_INDATAGRAMS);
+ return 0;
+
+ case -1:
+ /* PACKET wasn't for _func, or no func, pass it
+ * to stock function
+ */
+ ret = xfrm4_rcv_encap(skb, up->encap_type);
+ UDP_INC_STATS_BH(UDP_MIB_INDATAGRAMS);
+ return -ret;
+ }
}
/* FALLTHROUGH -- it's a UDP Packet */
}
@@ -1110,7 +1153,6 @@
/*
* All we need to do is get the socket, and then do a checksum.
*/
-
int udp_rcv(struct sk_buff *skb)
{
struct sock *sk;
@@ -1599,3 +1641,9 @@
EXPORT_SYMBOL(udp_proc_register);
EXPORT_SYMBOL(udp_proc_unregister);
#endif
+
+#if defined(CONFIG_IPSEC_NAT_TRAVERSAL)
+EXPORT_SYMBOL(udp4_register_esp_rcvencap);
+EXPORT_SYMBOL(udp4_unregister_esp_rcvencap);
+#endif
+
make[1]: Leaving directory `/usr/src/openswan-2.6.20'
Apply patch:
Code:
cd ../linux
cat ../nat-t.patch | patch -p1
patching file include/net/xfrmudp.h
patching file net/ipv4/Kconfig
Hunk #1 succeeded at 351 with fuzz 1.
patching file net/ipv4/udp.c
Hunk #1 FAILED at 108.
Hunk #2 FAILED at 882.
Hunk #3 FAILED at 914.
Hunk #4 FAILED at 1044.
Hunk #5 FAILED at 1153.
Hunk #6 succeeded at 1789 (offset 148 lines).
5 out of 6 hunks FAILED -- saving rejects to file net/ipv4/udp.c.rej
File udp.c.rej của mình thế này:
Code:
***************
*** 108,113 ****
#include <net/inet_common.h>
#include <net/checksum.h>
#include <net/xfrm.h>
/*
* Snmp MIB for the UDP layer
--- 108,114 ----
#include <net/inet_common.h>
#include <net/checksum.h>
#include <net/xfrm.h>
+ #include <net/xfrmudp.h>
/*
* Snmp MIB for the UDP layer
***************
*** 881,886 ****
sk_common_release(sk);
}
/* return:
* 1 if the the UDP system should process it
* 0 if we should drop this packet
--- 882,912 ----
sk_common_release(sk);
}
+ #if defined(CONFIG_XFRM) || defined(CONFIG_IPSEC_NAT_TRAVERSAL)
+
+ static xfrm4_rcv_encap_t xfrm4_rcv_encap_func = NULL;
+ int udp4_register_esp_rcvencap(xfrm4_rcv_encap_t func
+ , xfrm4_rcv_encap_t *oldfunc)
+ {
+ if(oldfunc != NULL) {
+ *oldfunc = xfrm4_rcv_encap_func;
+ }
+
+ xfrm4_rcv_encap_func = func;
+ return 0;
+ }
+
+ int udp4_unregister_esp_rcvencap(xfrm4_rcv_encap_t func, xfrm4_rcv_encap_t old)
+ {
+ if(xfrm4_rcv_encap_func != func)
+ return -1;
+
+ xfrm4_rcv_encap_func = old;
+ return 0;
+ }
+ #endif /* CONFIG_XFRM_MODULE || CONFIG_IPSEC_NAT_TRAVERSAL */
+
+
/* return:
* 1 if the the UDP system should process it
* 0 if we should drop this packet
***************
*** 888,896 ****
*/
static int udp_encap_rcv(struct sock * sk, struct sk_buff *skb)
{
- #ifndef CONFIG_XFRM
return 1;
- #else
struct udp_sock *up = udp_sk(sk);
struct udphdr *uh;
struct iphdr *iph;
--- 914,922 ----
*/
static int udp_encap_rcv(struct sock * sk, struct sk_buff *skb)
{
+ #if !defined(CONFIG_XFRM) && !defined(CONFIG_IPSEC_NAT_TRAVERSAL)
return 1;
+ #else /* either CONFIG_XFRM or CONFIG_IPSEC_NAT_TRAVERSAL */
struct udp_sock *up = udp_sk(sk);
struct udphdr *uh;
struct iphdr *iph;
***************
*** 1018,1027 ****
return 0;
}
if (ret < 0) {
- /* process the ESP packet */
- ret = xfrm4_rcv_encap(skb, up->encap_type);
- UDP_INC_STATS_BH(UDP_MIB_INDATAGRAMS);
- return -ret;
}
/* FALLTHROUGH -- it's a UDP Packet */
}
--- 1044,1070 ----
return 0;
}
if (ret < 0) {
+ if(xfrm4_rcv_encap_func != NULL)
+ ret = (*xfrm4_rcv_encap_func)(skb, up->encap_type);
+
+ switch(ret) {
+ case 1:
+ /* FALLTHROUGH to send-up */;
+ break;
+
+ case 0:
+ /* PROCESSED, free it */
+ UDP_INC_STATS_BH(UDP_MIB_INDATAGRAMS);
+ return 0;
+
+ case -1:
+ /* PACKET wasn't for _func, or no func, pass it
+ * to stock function
+ */
+ ret = xfrm4_rcv_encap(skb, up->encap_type);
+ UDP_INC_STATS_BH(UDP_MIB_INDATAGRAMS);
+ return -ret;
+ }
}
/* FALLTHROUGH -- it's a UDP Packet */
}
***************
*** 1110,1116 ****
/*
* All we need to do is get the socket, and then do a checksum.
*/
-
int udp_rcv(struct sk_buff *skb)
{
struct sock *sk;
--- 1153,1158 ----
/*
* All we need to do is get the socket, and then do a checksum.
*/
int udp_rcv(struct sk_buff *skb)
{
struct sock *sk;
Ở http://lists.virus.org/users-openswan-0806/msg00104.html cũng có người gặp lỗi giống mình. Bạn Paul bạn ấy bảo thử "apply bằng tay" xem. Nhưng thú thật là mình học dốt C nên không biết làm thế nào cả. Ai chỉ cho mình với.
Kiểu gì thì kiểu cũng phải patch được NAT-T thì mới đi tiếp được.
P/S: Mình đã thử với kernel mới nhất 2.6.28.8, cũng vẫn bị lỗi như trên. |
|
| Let's build on a great foundation! |
|
|
|
|
|
|
| Users currently in here |
|
1 Anonymous
|
|
Powered by JForum - Extended by HVAOnline
hvaonline.net | hvaforum.net | hvazone.net | hvanews.net | vnhacker.org
1999 - 2013 ©
v2012|0504|218|
|
|
![[Rule]](/hvaonline/templates/viet/images/icon_mini_rule.gif "[Rule]"){kind=icon}
![[Home]](/hvaonline/templates/viet/images/icon_mini_groups.gif "[Home]"){kind=icon}
![[Portal]](/hvaonline/templates/viet/images/icon_mini_portal.gif "[Portal]"){kind=icon}
![[Members]](/hvaonline/templates/viet/images/icon_mini_members.gif "[Members]"){kind=icon}
![[Statistics]](/hvaonline/templates/viet/images/icon_mini_stats.gif "[Statistics]"){kind=icon}
![[Search]](/hvaonline/templates/viet/images/icon_mini_search.gif "[Search]"){kind=icon}
![[Reading Room]](/hvaonline/templates/viet/images/icon_mini_book.gif "[Reading Room]"){kind=icon}
![[Register]](/hvaonline/templates/viet/images/icon_mini_register.gif "[Register]"){kind=icon}
Register![[Login]](/hvaonline/templates/viet/images/icon_mini_login.gif "[Login]"){kind=icon}
Login [
Thảo luận hệ điều hành *nix
![[Profile]](/hvaonline/templates/viet/images/en_US/icon_profile.gif "[Profile]"){kind=icon}
![[PM]](/hvaonline/templates/viet/images/en_US/icon_pm.gif "[PM]"){kind=icon}
![[Up]](/hvaonline/templates/viet/images/en_US/icon_up.gif "[Up]"){kind=icon}
![[Print Copy]](/hvaonline/templates/viet/images/en_US/icon_print.gif "[Print Copy]"){kind=icon}
![[digg]](/hvaonline/templates/viet/images/digg.gif "[digg]")
![[delicious]](/hvaonline/templates/viet/images/delicious.gif "[delicious]")
![[google]](/hvaonline/templates/viet/images/google.gif "[google]")
![[yahoo]](/hvaonline/templates/viet/images/yahoo.gif "[yahoo]")
![[technorati]](/hvaonline/templates/viet/images/technorati.gif "[technorati]")
![[reddit]](/hvaonline/templates/viet/images/reddit.gif "[reddit]")
![[stumbleupon]](/hvaonline/templates/viet/images/stumbleupon.gif "[stumbleupon]")