aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWill Page <Will.Page@ni.com>2017-09-01 18:54:55 +0300
committerMartin Jansa <Martin.Jansa@gmail.com>2017-09-05 14:34:23 +0200
commit7f47d474d6323cf59112c0102ec522fdd7dbf437 (patch)
treeefdfea49e7bff0a698d2b2451f12022a968b2482
parent4f94470151e743e770d28113e981f4d83a94445f (diff)
downloadmeta-openembedded-contrib-7f47d474d6323cf59112c0102ec522fdd7dbf437.tar.gz
meta-openembedded-contrib-7f47d474d6323cf59112c0102ec522fdd7dbf437.tar.bz2
meta-openembedded-contrib-7f47d474d6323cf59112c0102ec522fdd7dbf437.zip
vpnc: Reduce lifetime value to widely-compatible value
Current proposed lifetime value (2147483 seconds, which equates to MAXINT ms, or ~25 days) is rejected by Fortigate vpn devices because "peer SA proposal does not match local policy". It seems default policy for these devices constrains lifetime where similar VPN devices don't. Reducing the lifetime from its current value to 28800 (exactly 8 hours) causes it to start working with fortigate devices. Signed-off-by: Will Page <Will.Page@ni.com> Signed-off-by: Ioan-Adrian Ratiu <adrian.ratiu@ni.com> Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
-rw-r--r--meta-networking/recipes-connectivity/vpnc/vpnc/0009-reduce-lifetime-value.patch42
-rw-r--r--meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb1
2 files changed, 43 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/vpnc/vpnc/0009-reduce-lifetime-value.patch b/meta-networking/recipes-connectivity/vpnc/vpnc/0009-reduce-lifetime-value.patch
new file mode 100644
index 0000000000..2bed550415
--- /dev/null
+++ b/meta-networking/recipes-connectivity/vpnc/vpnc/0009-reduce-lifetime-value.patch
@@ -0,0 +1,42 @@
+From 39925f090c21ab571ebc6ec250696f7f7093a2a6 Mon Sep 17 00:00:00 2001
+From: Will Page <Will.Page@ni.com>
+Date: Wed, 30 Aug 2017 18:14:00 -0700
+Subject: [PATCH 1/1] Reduce lifetime value to widely-compatible value
+
+Current proposed lifetime value (2147483 seconds, which equates to
+MAXINT ms, or ~25 days) is rejected by Fortigate vpn devices because
+"peer SA proposal does not match local policy". It seems default
+policy for these devices constrains lifetime where similar VPN devices
+don't.
+
+Reducing the lifetime from its current value to 28800 (exactly 8 hours)
+causes it to start working with fortigate devices.
+---
+ vpnc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/vpnc.c b/vpnc.c
+index 36dd0f3..3e0fcba 100644
+--- a/vpnc.c
++++ b/vpnc.c
+@@ -1135,7 +1135,7 @@ static struct isakmp_attribute *make_transform_ike(int dh_group, int crypt, int
+ a->af = isakmp_attr_lots;
+ a->u.lots.length = 4;
+ a->u.lots.data = xallocc(a->u.lots.length);
+- *((uint32_t *) a->u.lots.data) = htonl(2147483);
++ *((uint32_t *) a->u.lots.data) = htonl(28800);
+ a = new_isakmp_attribute_16(IKE_ATTRIB_LIFE_TYPE, IKE_LIFE_TYPE_SECONDS, a);
+ a = new_isakmp_attribute_16(IKE_ATTRIB_AUTH_METHOD, auth, a);
+ a = new_isakmp_attribute_16(IKE_ATTRIB_GROUP_DESC, dh_group, a);
+@@ -2561,7 +2561,7 @@ static struct isakmp_attribute *make_transform_ipsec(struct sa_block *s, int dh_
+ a->af = isakmp_attr_lots;
+ a->u.lots.length = 4;
+ a->u.lots.data = xallocc(a->u.lots.length);
+- *((uint32_t *) a->u.lots.data) = htonl(2147483);
++ *((uint32_t *) a->u.lots.data) = htonl(28800);
+ a = new_isakmp_attribute_16(ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE, IPSEC_LIFE_SECONDS, a);
+
+ if (dh_group)
+--
+2.7.4
+
diff --git a/meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb b/meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb
index 6f92acd06c..ea21799853 100644
--- a/meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb
+++ b/meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb
@@ -20,6 +20,7 @@ SRC_URI = "git://github.com/ndpgroup/vpnc \
file://0006-sysdep-Add-header-include-sequence-to-adjust-for-mus.patch \
file://0007-add-error-API-when-error.h-is-not-on-platform.patch \
file://0008-include-sysdep.h-before-net-if_tun.h.patch \
+ file://0009-reduce-lifetime-value.patch \
"
PACKAGECONFIG ?= "gnutls"