[vpnc-devel] patches for dpd and disconnect-problem

Wolfgang Astleitner wolfgang.astleitner at jku.at
Fri Sep 7 10:56:17 CEST 2007 

we're currently integrating sonicwall-support to vpnc.
status:
working fine
tested / verified:
+ dpd-detection
+ NAT-T
+ Linux Kernel 2.6
+ MacOS X
+ Sonicwall PRO 4060
+ Cisco IOS switch 6509 (w/ K9 (3DES)-image)

not supported at the moment:
- no ISAKMP_DHCP (thus fixed IP address required for tunnel at init.-time)
  as sonicwall doesn't support ISAKMP_MODECFG for dyn. IP assignment.

on the way to this status we've faced (and solved) some problems with 
current vpnc-implementation (the main patch for sonicwall-integration 
still needs some more beautifying and will be contributed soon (maybe 
with ISAKMP_DHCP support if we manage to implement it))

* dead peer detection didn't work because sonicwall didn't like the non 
hashed request.
  we simply replaced the call to send_phase2_late (unhashed request) to 
sendrecv_phase2 (hashed request) in send_dpd() and it worked like a 
charm with both sonicwall and cisco:

in send_dpd():

-         send_phase2_late(s, pl, ISAKMP_EXCHANGE_INFORMATIONAL, msgid);
+        /* 2007-09-06 JKU/ZID: sonicwall drops non hashed ack-requests */
+        sendrecv_phase2(s, pl, ISAKMP_EXCHANGE_INFORMATIONAL, msgid,
+                1 , NULL, NULL, NULL, 0, NULL, 0);


* disconnecting didn't work fine
(compare to VPNC/Known Bugs: disconnecting does not work reliable with 
all supported targets (a work-around is to connect with incorrect 
password, and then again with correct password))
we had a similar problem with sonicwall: routing to internal nets did 
only work every 2nd time (or when using the 'incorrect 
password'-workaround) -> when debugging the communication we learned 
that sonicwall didn't like the chained disconnect request but did well 
with the request in two separated steps.
we've testet the patched version with a sonicwall and a cisco  and both 
worked fine with it. maybe this will also solve the problem with other 
targets.

(patch vpnc_c_disconnect.patch is attached to the mail and was created 
using revision 236)

please verify the patches against other cisco targets (we tested the 
patches on cisco 6509 w/ 3DES-image).

greetings

Gerald Hanusch (sonicwall integration ('hacking'))
Wolfgang Astleitner (code integration, testing)
both: University of Linz / ZID


-- 
Wolfgang Astleitner
ZID - University of Linz
Altenbergerstr. 69 / A-4040 Linz-Auhof
Tel: +43/732/2468-8269      Fax: -8688

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: vpnc_c_disconnect.patch
Url: http://lists.unix-ag.uni-kl.de/pipermail/vpnc-devel/attachments/20070907/d2a9743a/attachment.txt

More information about the vpnc-devel mailing list