OpenBSD Journal

Steps towards support for NAT-Traversal and DPD in isakmpd

Contributed by grey on from the dept.

Thanks to Foxy for writing in:

According to the last CVS log, Hakan Olson starts to add NAT-Traversal and Dead-Peer-Detection in isakmpd daemon for IKE/IPsec :

CVSROOT:	/cvs
Module name:	src
Changes by:	ho@cvs.openbsd.org	2004/06/20 09:24:05

Modified files:
	sbin/isakmpd   : Makefile exchange.h ike_phase_1.c init.c 
	                 ipsec.c isakmp.h isakmp_fld.fld message.c 
	                 policy.c transport.c transport.h udp.c udp.h 
	                 util.c util.h 
Added files:
	sbin/isakmpd   : nat_traversal.c nat_traversal.h udp_encap.c 
	                 udp_encap.h virtual.c virtual.h 
	sbin/isakmpd/features: nat_traversal 

Log message:
NAT-Traversal for isakmpd. Work in progress...
hshoexer@ ok.

CVSROOT:	/cvs
Module name:	src
Changes by:	ho@cvs.openbsd.org	2004/06/20 09:20:07

Modified files:
	sbin/isakmpd   : exchange.c isakmp_num.cst sa.h 
Added files:
	sbin/isakmpd   : dpd.c dpd.h 
	sbin/isakmpd/features: dpd 

Log message:
A start towards Dead Peer Detection (DPD) support, as specified in RFC 3706
Great news :-)

(Comments are closed)


Comments
  1. By Anonymous Coward (213.119.4.16) on

    So what makes NAT-T legal, suddenly?

    Comments
    1. By Anonymous Coward (64.81.74.226) on

      yeah, did Cisco drop the patent issues?

    2. By Anonymous Coward (209.162.224.62) on

      It was never illegal. Just because someone claims they have a pending application for a patent doesn't make doing that illegal. If ssh.com is awarded the patent, then it would matter. And even then, it would make more sense to compile some documentation and expert opinions, and then file a re-examination request for the patent to have it revoked than to not impliment nat-t.

      Comments
      1. By Anonymous Coward (216.27.182.22) on

        Whatever. The OBSD developers were pretty clear in their refusal to deal with NAT-T until the patent issues were resolved:

        On Wed, Jul 30, 2003 at 10:25:01AM +0200, Markus Friedl wrote:

        >I understand the patent issues with SSH re: NAT Traversal. However, the >> lack of this feature is holding back any use of isakmpd on our OpenBSD >> firewalls-- we're forced to use a separate FreeSWAN box. :( Any plans to >> incorporate the NAT-T draft this year?

        We'll release NAT-T after you've resolved that patent issues.

        Thanks! so why the change of heart?

        Comments
        1. By Anonymous Coward (209.5.161.221) on

          How can the most trivial of udp encapsulations be patentable?

          Comments
          1. By Anonymous Coward (64.81.74.226) on

            but any mention of "when is NAT-T due" lead to smart ass comments like the above. So, obviously there were some issues.

  2. By Anonymous Coward (67.153.107.130) on

    I wonder how feasible would it be to create a generalized state synchronization protocol that could carry not only pf or IPSEC state, but both of those, as well as bridge state, ARP cache, ftp-proxy state, etc. etc.Obviously there would need to be a ton of kernel modification, but it would be neato mosquito.

  3. By Anonymous Coward (206.47.145.36) on

    This is so good. As someone who routinely needs to locate OpenBSD routers temporarily on 3rd party networks to faciliate VPNs, this one feature would be totally invaluable.Thank you Hakan! Keep up the good work!

  4. By cellx (209.49.5.252) on

    i don't know if this is is a *wishlist* but I would like to see:PPTP PassthroughIPSEC PassthroughI know you can create PPTP map but I would like to see what my $50 Linksys can do... . cents

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]