Add '-p' command line option which allows to configure

the UDP encapsulation port, similar to isakmpd's '-N' flag. Being able to change the UDP encapsulation port is useful in cases where ESP and UDP ports 500 and 4500 are blocked or rate limited. ok sthen@
author: tobhe <tobhe@openbsd.org> 2020-01-16 20:05:00 +0000
committer: tobhe <tobhe@openbsd.org> 2020-01-16 20:05:00 +0000
commit: 59c69d76ce42f26132c47beecb76e1e0573c0421 (patch)
tree: 3bb80bc5cfff642251d3756f0ce00768d3f9e19c
parent: Add a file put sub test for ftpd(8) regression test. (diff)
download: wireguard-openbsd-59c69d76ce42f26132c47beecb76e1e0573c0421.tar.xz
wireguard-openbsd-59c69d76ce42f26132c47beecb76e1e0573c0421.zip
7 files changed, 63 insertions, 16 deletions
diff --git a/sbin/iked/config.c b/sbin/iked/config.c
index 3cabdc3426f..71f01cb5d54 100644
--- a/sbin/iked/config.c
+++ b/sbin/iked/config.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: config.c,v 1.52 2020/01/07 15:08:28 tobhe Exp $	*/
+/*	$OpenBSD: config.c,v 1.53 2020/01/16 20:05:00 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -988,6 +988,29 @@ config_setkeys(struct iked *env)
 }
 
 int
+config_setnattport(struct iked *env)
+{
+	in_port_t nattport;
+
+	nattport = env->sc_nattport;
+	proc_compose(&env->sc_ps, PROC_IKEV2, IMSG_CTL_NATTPORT,
+	    &nattport, sizeof(nattport));
+	return (0);
+}
+
+int
+config_getnattport(struct iked *env, struct imsg *imsg)
+{
+	in_port_t nattport;
+
+	IMSG_SIZE_CHECK(imsg, &nattport);
+	memcpy(&nattport, imsg->data, sizeof(nattport));
+	env->sc_nattport = nattport;
+	log_debug("%s: nattport %u", __func__, env->sc_nattport);
+	return (0);
+}
+
+int
 config_getkey(struct iked *env, struct imsg *imsg)
 {
 	size_t		 len;
diff --git a/sbin/iked/iked.8 b/sbin/iked/iked.8
index 5e1d62d11cf..6f8b406547f 100644
--- a/sbin/iked/iked.8
+++ b/sbin/iked/iked.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: iked.8,v 1.23 2020/01/14 22:28:29 tobhe Exp $
+.\" $OpenBSD: iked.8,v 1.24 2020/01/16 20:05:00 tobhe Exp $
 .\"
 .\" Copyright (c) 2010 - 2014 Reyk Floeter <reyk@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: January 14 2020 $
+.Dd $Mdocdate: January 16 2020 $
 .Dt IKED 8
 .Os
 .Sh NAME
@@ -25,6 +25,7 @@
 .Op Fl dnSTtv
 .Op Fl D Ar macro Ns = Ns Ar value
 .Op Fl f Ar file
+.Op Fl p Ar udpencap_port
 .Sh DESCRIPTION
 .Nm
 is an Internet Key Exchange (IKEv2) daemon which performs mutual
@@ -75,6 +76,15 @@ as the configuration file, instead of the default
 .It Fl n
 Configtest mode.
 Only check the configuration file for validity.
+.It Fl p Ar udpencap-port
+Specify the listen port for encapsulated UDP that
+the daemon will bind to as well as the UDP encapsulation port set
+in resulting IPsec SAs.
+In order to receive UDP encapsulated IPsec packets on ports other
+than 4500, the
+.Em net.inet.esp.udpencap_port
+.Xr sysctl 2
+variable has to be set accordingly.
 .It Fl S
 Start
 .Nm
diff --git a/sbin/iked/iked.c b/sbin/iked/iked.c
index ce78f4cbef7..85032d8eb3c 100644
--- a/sbin/iked/iked.c
+++ b/sbin/iked/iked.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: iked.c,v 1.40 2020/01/15 20:30:32 sthen Exp $	*/
+/*	$OpenBSD: iked.c,v 1.41 2020/01/16 20:05:00 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -57,7 +57,7 @@ usage(void)
 	extern char	*__progname;
 
 	fprintf(stderr, "usage: %s [-dnSTtv] [-D macro=value] "
-	    "[-f file]\n", __progname);
+	    "[-f file] [-p udpencap_port]\n", __progname);
 	exit(1);
 }
 
@@ -67,13 +67,14 @@ main(int argc, char *argv[])
 	int		 c;
 	int		 debug = 0, verbose = 0;
 	int		 opts = 0;
+	in_port_t	 port = IKED_NATT_PORT;
 	const char	*conffile = IKED_CONFIG;
 	struct iked	*env = NULL;
 	struct privsep	*ps;
 
 	log_init(1, LOG_DAEMON);
 
-	while ((c = getopt(argc, argv, "6dD:nf:vSTt")) != -1) {
+	while ((c = getopt(argc, argv, "6dD:nf:p:vSTt")) != -1) {
 		switch (c) {
 		case '6':
 			log_warnx("the -6 option is ignored and will be "
@@ -107,6 +108,10 @@ main(int argc, char *argv[])
 		case 't':
 			opts |= IKED_OPT_NATT;
 			break;
+		case 'p':
+			port = atoi(optarg);
+			opts |= IKED_OPT_NATT;
+			break;
 		default:
 			usage();
 		}
@@ -121,6 +126,7 @@ main(int argc, char *argv[])
 		fatal("calloc: env");
 
 	env->sc_opts = opts;
+	env->sc_nattport = port;
 
 	ps = &env->sc_ps;
 	ps->ps_env = env;
@@ -221,18 +227,18 @@ parent_configure(struct iked *env)
 	bzero(&ss, sizeof(ss));
 	ss.ss_family = AF_INET;
 
-	if ((env->sc_opts & IKED_OPT_NATT) == 0)
+	if ((env->sc_opts & IKED_OPT_NATT) == 0 && env->sc_nattport == IKED_NATT_PORT)
 		config_setsocket(env, &ss, ntohs(IKED_IKE_PORT), PROC_IKEV2);
 	if ((env->sc_opts & IKED_OPT_NONATT) == 0)
-		config_setsocket(env, &ss, ntohs(IKED_NATT_PORT), PROC_IKEV2);
+		config_setsocket(env, &ss, ntohs(env->sc_nattport), PROC_IKEV2);
 
 	bzero(&ss, sizeof(ss));
 	ss.ss_family = AF_INET6;
 
-	if ((env->sc_opts & IKED_OPT_NATT) == 0)
+	if ((env->sc_opts & IKED_OPT_NATT) == 0 && env->sc_nattport == IKED_NATT_PORT)
 		config_setsocket(env, &ss, ntohs(IKED_IKE_PORT), PROC_IKEV2);
 	if ((env->sc_opts & IKED_OPT_NONATT) == 0)
-		config_setsocket(env, &ss, ntohs(IKED_NATT_PORT), PROC_IKEV2);
+		config_setsocket(env, &ss, ntohs(env->sc_nattport), PROC_IKEV2);
 
 	/*
 	 * pledge in the parent process:
@@ -254,6 +260,7 @@ parent_configure(struct iked *env)
 
 	config_setmobike(env);
 	config_setfragmentation(env);
+	config_setnattport(env);
 	config_setcoupled(env, env->sc_decoupled ? 0 : 1);
 	config_setocsp(env);
 	/* Must be last */
@@ -287,6 +294,7 @@ parent_reload(struct iked *env, int reset, const char *filename)
 
 		config_setmobike(env);
 		config_setfragmentation(env);
+		config_setnattport(env);
 		config_setcoupled(env, env->sc_decoupled ? 0 : 1);
 		config_setocsp(env);
  		/* Must be last */
diff --git a/sbin/iked/iked.h b/sbin/iked/iked.h
index c3d17a8cf0d..74cbb0b1b01 100644
--- a/sbin/iked/iked.h
+++ b/sbin/iked/iked.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: iked.h,v 1.131 2020/01/14 22:28:29 tobhe Exp $	*/
+/*	$OpenBSD: iked.h,v 1.132 2020/01/16 20:05:00 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -662,6 +662,7 @@ struct iked {
 	uint32_t			 sc_opts;
 	uint8_t				 sc_passive;
 	uint8_t				 sc_decoupled;
+	in_port_t			 sc_nattport;
 
 	uint8_t				 sc_mobike;	/* MOBIKE */
 	uint8_t				 sc_frag;	/* fragmentation */
@@ -767,6 +768,8 @@ int	 config_setmobike(struct iked *);
 int	 config_getmobike(struct iked *, struct imsg *);
 int	 config_setfragmentation(struct iked *);
 int	 config_getfragmentation(struct iked *, struct imsg *);
+int	 config_setnattport(struct iked *);
+int	 config_getnattport(struct iked *, struct imsg *);
 
 /* policy.c */
 void	 policy_init(struct iked *);
diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
index 0db19f468cd..842e8da110f 100644
--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2.c,v 1.187 2020/01/08 09:14:03 tobhe Exp $	*/
+/*	$OpenBSD: ikev2.c,v 1.188 2020/01/16 20:05:00 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -213,6 +213,8 @@ ikev2_dispatch_parent(int fd, struct privsep_proc *p, struct imsg *imsg)
 		return (config_getmobike(env, imsg));
 	case IMSG_CTL_FRAGMENTATION:
 		return (config_getfragmentation(env, imsg));
+	case IMSG_CTL_NATTPORT:
+		return (config_getnattport(env, imsg));
 	case IMSG_UDP_SOCKET:
 		return (config_getsocket(env, imsg, ikev2_msg_cb));
 	case IMSG_PFKEY_SOCKET:
@@ -1084,7 +1086,7 @@ ikev2_init_ike_sa_peer(struct iked *env, struct iked_policy *pol,
 	}
 
 	if ((env->sc_opts & IKED_OPT_NONATT) == 0) {
-		if (ntohs(port) == IKED_NATT_PORT) {
+		if (ntohs(port) == env->sc_nattport) {
 			/* Enforce NAT-T on the initiator side */
 			log_debug("%s: enforcing NAT-T", __func__);
 			req.msg_natt = sa->sa_natt = sa->sa_udpencap = 1;
diff --git a/sbin/iked/ikev2_msg.c b/sbin/iked/ikev2_msg.c
index 31a5ab9662f..9ff4e8a69ec 100644
--- a/sbin/iked/ikev2_msg.c
+++ b/sbin/iked/ikev2_msg.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2_msg.c,v 1.60 2019/11/28 12:16:28 tobhe Exp $	*/
+/*	$OpenBSD: ikev2_msg.c,v 1.61 2020/01/16 20:05:00 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -78,7 +78,7 @@ ikev2_msg_cb(int fd, short event, void *arg)
 		return;
 
 	if (socket_getport((struct sockaddr *)&msg.msg_local) ==
-	    IKED_NATT_PORT) {
+	    env->sc_nattport) {
 		if (memcmp(&natt, buf, sizeof(natt)) != 0)
 			return;
 		msg.msg_natt = 1;
diff --git a/sbin/iked/types.h b/sbin/iked/types.h
index 94ceea80a64..e8881a74e9a 100644
--- a/sbin/iked/types.h
+++ b/sbin/iked/types.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: types.h,v 1.31 2020/01/14 22:28:29 tobhe Exp $	*/
+/*	$OpenBSD: types.h,v 1.32 2020/01/16 20:05:00 tobhe Exp $	*/
 
 /*
  * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
@@ -104,6 +104,7 @@ enum imsg_type {
 	IMSG_CTL_PASSIVE,
 	IMSG_CTL_MOBIKE,
 	IMSG_CTL_FRAGMENTATION,
+	IMSG_CTL_NATTPORT,
 	IMSG_COMPILE,
 	IMSG_UDP_SOCKET,
 	IMSG_PFKEY_SOCKET,
author	tobhe <tobhe@openbsd.org>	2020-01-16 20:05:00 +0000
committer	tobhe <tobhe@openbsd.org>	2020-01-16 20:05:00 +0000
commit	59c69d76ce42f26132c47beecb76e1e0573c0421 (patch)
tree	3bb80bc5cfff642251d3756f0ce00768d3f9e19c
parent	Add a file put sub test for ftpd(8) regression test. (diff)
download	wireguard-openbsd-59c69d76ce42f26132c47beecb76e1e0573c0421.tar.xz wireguard-openbsd-59c69d76ce42f26132c47beecb76e1e0573c0421.zip