From 585bfa9a7ba9d9e08d53b891bc6514605129ed1b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Timo=20Ter=C3=A4s?= Date: Fri, 5 Jun 2015 10:22:12 +0300 Subject: main/strongswan: don't set gre ports for SPDs workaround for certain dmvpn issues due to not supporting grekey handling in charon. --- ...nel-netlink-ignore-ports-for-gre-protocol.patch | 36 ++++++++++++++++++++++ main/strongswan/APKBUILD | 6 +++- 2 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 main/strongswan/0005-kernel-netlink-ignore-ports-for-gre-protocol.patch (limited to 'main/strongswan') diff --git a/main/strongswan/0005-kernel-netlink-ignore-ports-for-gre-protocol.patch b/main/strongswan/0005-kernel-netlink-ignore-ports-for-gre-protocol.patch new file mode 100644 index 0000000000..9d0247b8fa --- /dev/null +++ b/main/strongswan/0005-kernel-netlink-ignore-ports-for-gre-protocol.patch @@ -0,0 +1,36 @@ +From 9645c87adbfcbfba2ace8a51a5df31448512112c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Timo=20Ter=C3=A4s?= +Date: Fri, 5 Jun 2015 10:19:38 +0300 +Subject: [PATCH] kernel-netlink: ignore ports for gre protocol +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Netlink supports matching a grekey from using the port data. But +charon does not handle grekey negotiation currently, so just ignore +them for now. + +Signed-off-by: Timo Teräs +--- + src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c +index f22e07d..5ce6b32 100644 +--- a/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c ++++ b/src/libhydra/plugins/kernel_netlink/kernel_netlink_ipsec.c +@@ -754,6 +754,11 @@ static struct xfrm_selector ts2selector(traffic_selector_t *src, + sel.sport = htons(port & 0xff); + sel.dport = htons(port >> 8); + } ++ else if (sel.proto == IPPROTO_GRE) ++ { ++ sel.sport = sel.dport = 0; ++ sel.sport_mask = sel.dport_mask = 0; ++ } + sel.ifindex = 0; + sel.user = 0; + +-- +2.4.2 + diff --git a/main/strongswan/APKBUILD b/main/strongswan/APKBUILD index 4860b5d85c..52d844e980 100644 --- a/main/strongswan/APKBUILD +++ b/main/strongswan/APKBUILD @@ -3,7 +3,7 @@ pkgname=strongswan pkgver=5.3.1 _pkgver=${pkgver//_rc/rc} -pkgrel=1 +pkgrel=2 pkgdesc="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE" url="http://www.strongswan.org/" arch="all" @@ -20,6 +20,7 @@ source="http://download.strongswan.org/$pkgname-$_pkgver.tar.bz2 0002-vici-send-certificates-for-ike-sa-events.patch 0003-vici-add-support-rekeying-events-and-individual-sa-s.patch 0004-vici-support-asynchronous-initiation.patch + 0005-kernel-netlink-ignore-ports-for-gre-protocol.patch strongswan.initd charon.initd" @@ -107,6 +108,7 @@ e553c5e9a895a2d95b1cbc33407d64a0 0001-charon-add-optional-source-and-remote-ove 8bea05feac6f4e90c4973b2459864437 0002-vici-send-certificates-for-ike-sa-events.patch 125c4e648f73b0dbdaa741ac13ed6d87 0003-vici-add-support-rekeying-events-and-individual-sa-s.patch f65811bd1ae6e7f98cf9d76928a0aa03 0004-vici-support-asynchronous-initiation.patch +8616a8800d40662176214df4749d6780 0005-kernel-netlink-ignore-ports-for-gre-protocol.patch 85ebc1b6c6b9c0c6640d8136e97da8e1 strongswan.initd 7962a720ebef6892d80a3cbdab72c204 charon.initd" sha256sums="83fa7b004e65356ff5bb755d9d0e03901d578a99e90b6328a350a4335a32f6de strongswan-5.3.1.tar.bz2 @@ -114,6 +116,7 @@ a472df28677d4f43a063926a65b52b317dfca0b74f8c6a2e3bf852b94fbf5f0f 0001-charon-ad c1cfe3d1e3345238e125a46a492f8dc0800aa3dc75aea060d54cdbab35fd60cb 0002-vici-send-certificates-for-ike-sa-events.patch 4e08d4fe01717de0601411b4756141394ced2d3107adc47f2c2beac2f92a967e 0003-vici-add-support-rekeying-events-and-individual-sa-s.patch 42171ee35e7679fe3d4efb80fdb121b0a7ea8df5cf3395bbcccb97d56327027c 0004-vici-support-asynchronous-initiation.patch +3c2e91b6bdf051ecba3c2c9c5575b617998eb471a4b570c9c5c4e59505599439 0005-kernel-netlink-ignore-ports-for-gre-protocol.patch ad43d1ed2585d84e12ad1e67fbdfe93983c424c5c64b230d5027c0aae496c65f strongswan.initd 97b018796f0f15106b70694449cff36e8fc586292aab09ef83a05c0c13142e73 charon.initd" sha512sums="b789c18de1fa6663d8140c4173c2fe9b668e7741098340aad439e7346d4542df702f59760d1886d82d68c070ebde3121b5b29ccdab031876399d0d5d771f1381 strongswan-5.3.1.tar.bz2 @@ -121,5 +124,6 @@ sha512sums="b789c18de1fa6663d8140c4173c2fe9b668e7741098340aad439e7346d4542df702f ca6eec72f75f243234baa1b361ab6dba82a810d1efb01dbcfd16cd7ce104c3f18fb932c1f6f280a566bfcbe16bc67d7d55e024f72c9eef82a62fe78505293c5c 0002-vici-send-certificates-for-ike-sa-events.patch 2e28af9043cab41f16c57f41ccb65b6591ec32d50a811bd393c4dcf7f0ffe81fac67679c41b716dfc74fca9ebedd178fe0b572b1c2cda3ccc685a0ad0d02f65a 0003-vici-add-support-rekeying-events-and-individual-sa-s.patch 39e4a9839b2f6f42f662620b20697c684b90949622f8cc21c393ca55ab40e669befd1d2055e0f0c799cf37733a37bbf4df2b9cebc984a45bb66ecba6fa0ef116 0004-vici-support-asynchronous-initiation.patch +e93856948afbb331c4faa32a008e2948088107b45585d52d67b40aaa819e76246096fc4e71d30ef9b7f41f7e5b41bf58b804569e313c1cb8b0e2e29f6391580e 0005-kernel-netlink-ignore-ports-for-gre-protocol.patch b56008c07b804dacb3441d3802880058986ab7b314297fe485649a771861885b9232f9fd53b94faa3388a5e9330e2b38a86af5c04f3ff119199720043967ec64 strongswan.initd 6f3abaaa8da0925f06cdd184fdf534518e40c49533dba427dbf31dbe88172e5626bdc9aadf798d791f82fbded08801c1f565d514e2c289e1f28448d0c2e72b79 charon.initd" -- cgit v1.2.3