On Wed, May 12, 2021 at 07:11:09PM +0900, YASUOKA Masahiko wrote: > Hi, > > Radek reported a problem to misc@ that multiple Windows clients behind a NAT > cannot use a L2TP/IPsec server simultaneously. > > https://marc.info/?t=160996816100001&r=1&w=2 > > There is two problems. First is pipex(4) doesn't pass the proper > ipsecflowinfo to ip_output(). Second is the IPsec policy check which is > done by ipsp_spd_lookup() returns -1 (EINVAL) if the given tdb is not > cached. This happens when its flow is shared by another tdb (for another > client of the same NAT). > > The following 2 diffs fix these problem. > > comment? > ok? >
Hi. I have two comments for the diff 1: 1. You should add PACKET_TAG_IPSEC_FLOWINFO description to m_tag_get(9). 2. You introduced mbuf(9) leak in pipex_l2tp_output() error path. I pointed the place in your diff. I'll see diff 2 later. > diff #1 > > Fix IPsec NAT-T work with pipex. > > Index: sys/net/pipex.c > =================================================================== > RCS file: /disk/cvs/openbsd/src/sys/net/pipex.c,v > retrieving revision 1.132 > diff -u -p -r1.132 pipex.c > --- sys/net/pipex.c 10 Mar 2021 10:21:48 -0000 1.132 > +++ sys/net/pipex.c 12 May 2021 09:38:32 -0000 > @@ -1628,6 +1628,7 @@ pipex_l2tp_output(struct mbuf *m0, struc > #ifdef INET6 > struct ip6_hdr *ip6; > #endif > + struct m_tag *mtag; > > hlen = sizeof(struct pipex_l2tp_header) + > ((pipex_session_is_l2tp_data_sequencing_on(session)) > @@ -1703,6 +1704,15 @@ pipex_l2tp_output(struct mbuf *m0, struc > ip->ip_ttl = MAXTTL; > ip->ip_tos = 0; > ip->ip_off = 0; > + > + if (session->proto.l2tp.ipsecflowinfo > 0) { > + if ((mtag = m_tag_get(PACKET_TAG_IPSEC_FLOWINFO, > + sizeof(u_int32_t), M_NOWAIT)) == NULL) > + goto drop; mbuf(9) will leak here. > + *(u_int32_t *)(mtag + 1) = > + session->proto.l2tp.ipsecflowinfo; > + m_tag_prepend(m0, mtag); > + } > > ip_send(m0); > break;