Re: Vpnc pluggin needs "force-natt" option.

From: Huzaifa Sidhpurwala <sidhpurwala huzaifa gmail com>
To: Dan Williams <dcbw redhat com>
Cc: networkmanager-list gnome org
Subject: Re: Vpnc pluggin needs "force-natt" option.
Date: Thu, 25 Feb 2010 13:28:21 +0530

Hi All,

Created a patch and it works for me.

More details on the comment in the bug.

On Thu, Feb 25, 2010 at 5:47 AM, Dan Williams <dcbw redhat com> wrote:

On Wed, 2010-02-24 at 18:38 -0500, Michael H. Warfield wrote:
> Hello all!
>
> I have a situation where vpnc is failing due to an incorrect setting in
> the NetworkManager vpnc plugin. The situation is a condition where a
> firewall or other non-NAT device is interfering with protocol 50 (esp)
> and we need NAT-T even though we are not behind a NAT. As it so
> happens, vpnc does support this. It's "NAT Traversal mode force-natt".
> In those environments, cli invocation of vpnc works like a charm. But
> there appears to be no way for the NetworkManager vpnc plugin to
> configure and use this. The force-natt option is most likely to work in
> the widest variety of environments at the cost of a slight overhead (UDP
> encapsulation). OpenSWAN, StrongSWAN, Racoon, and vpnc all support
> this. Just need the plugin adapted to support it as well. Any chance
> of getting that added to that plugin?

Seems pretty simple; to make sure it doesn't get lost I've created:

https://bugzilla.gnome.org/show_bug.cgi?id=611027

Can't promise when, but it would be a good simple bug for a new
contributor to pick up.

Dan

_______________________________________________
NetworkManager-list mailing list
NetworkManager-list gnome org
http://mail.gnome.org/mailman/listinfo/networkmanager-list

diff --git a/properties/nm-vpnc.c b/properties/nm-vpnc.c
index 339c4a9..0528e19 100644
--- a/properties/nm-vpnc.c
+++ b/properties/nm-vpnc.c
@@ -468,24 +468,31 @@ init_plugin_ui (VpncPluginUiWidget *self, NMConnection *connection, GError **err
 		natt_mode = nm_setting_vpn_get_data_item (s_vpn, NM_VPNC_KEY_NAT_TRAVERSAL_MODE);
 
 	gtk_list_store_append (store, &iter);
-	gtk_list_store_set (store, &iter, 0, _("NAT-T (default)"), 1, NM_VPNC_NATT_MODE_NATT, -1);
+	gtk_list_store_set (store, &iter, 0, _("NAT-T (autodetect)"), 1, NM_VPNC_NATT_MODE_NATT, -1);
 	if ((active < 0) && natt_mode) {
 		if (!strcmp (natt_mode, NM_VPNC_NATT_MODE_NATT))
 			active = 0;
 	}
 
 	gtk_list_store_append (store, &iter);
+	gtk_list_store_set (store, &iter, 0, _("NAT-T (always)"),1,NM_VPNC_NATT_MODE_ALWAYS, -1);
+	if ((active <0 ) && natt_mode) {
+		if (!strcmp (natt_mode, NM_VPNC_NATT_MODE_ALWAYS))
+			active = 1;
+	}
+
+	gtk_list_store_append (store, &iter);
 	gtk_list_store_set (store, &iter, 0, _("Cisco UDP"), 1, NM_VPNC_NATT_MODE_CISCO, -1);
 	if ((active < 0) && natt_mode) {
 		if (!strcmp (natt_mode, NM_VPNC_NATT_MODE_CISCO))
-			active = 1;
+			active = 2;
 	}
 
 	gtk_list_store_append (store, &iter);
 	gtk_list_store_set (store, &iter, 0, _("Disabled"), 1, NM_VPNC_NATT_MODE_NONE, -1);
 	if ((active < 0) && natt_mode) {
 		if (!strcmp (natt_mode, NM_VPNC_NATT_MODE_NONE))
-			active = 2;
+			active = 3;
 	}
 
 	widget = glade_xml_get_widget (priv->xml, "natt_combo");
@@ -1063,7 +1070,10 @@ import (NMVpnPluginUiInterface *iface, const char *path, GError **error)
 	/* Disable all NAT Traversal if explicit EnableNat=0 exists, otherwise
 	 * default to NAT-T which is newer and standardized.  If EnableNat=1, then
 	 * use Cisco-UDP like always; but if the key "X-NM-Use-NAT-T" is set, then
-	 * use NAT-T.
+	 * use NAT-T. 
+	 * If the key "X-NM-Use-Force-NAT-T" is set we use force-natt
+	 * Note: For force-natt both "X-NM-Use-NAT-T" and "X-NM-Use-Force-NAT-T" must
+	 * be set.
 	 */
 	nm_setting_vpn_add_data_item (s_vpn,
 	                              NM_VPNC_KEY_NAT_TRAVERSAL_MODE,
@@ -1074,9 +1084,15 @@ import (NMVpnPluginUiInterface *iface, const char *path, GError **error)
 			bool_value = FALSE;
 			if (   pcf_file_lookup_bool (pcf, "main", "X-NM-Use-NAT-T", &bool_value)
 			    && bool_value) {
-				nm_setting_vpn_add_data_item (s_vpn,
-				                              NM_VPNC_KEY_NAT_TRAVERSAL_MODE,
-				                              NM_VPNC_NATT_MODE_NATT);
+				if ( pcf_file_lookup_bool (pcf, "main", "X-NM-Use-Force-NAT-T", &bool_value)
+				     && bool_value) 
+						nm_setting_vpn_add_data_item (s_vpn,
+									      NM_VPNC_KEY_NAT_TRAVERSAL_MODE,
+									      NM_VPNC_NATT_MODE_ALWAYS);
+				else		
+					nm_setting_vpn_add_data_item (s_vpn,
+					                              NM_VPNC_KEY_NAT_TRAVERSAL_MODE,
+					                              NM_VPNC_NATT_MODE_NATT);
 			}
 		} else {
 			nm_setting_vpn_add_data_item (s_vpn,
@@ -1154,7 +1170,8 @@ export (NMVpnPluginUiInterface *iface,
 	guint32 routes_count = 0;
 	gboolean save_password = FALSE;
 	gboolean use_natt = FALSE;
-
+	gboolean use_force_natt = FALSE;
+	
 	s_con = NM_SETTING_CONNECTION (nm_connection_get_setting (connection, NM_TYPE_SETTING_CONNECTION));
 	s_ip4 = (NMSettingIP4Config *) nm_connection_get_setting (connection, NM_TYPE_SETTING_IP4_CONFIG);
 
@@ -1202,6 +1219,10 @@ export (NMVpnPluginUiInterface *iface,
 		} else if (!strcmp (value, NM_VPNC_NATT_MODE_NATT)) {
 			enablenat = TRUE;
 			use_natt = TRUE;
+		} else if (!strcmp (value, NM_VPNC_NATT_MODE_ALWAYS)) {
+			enablenat = TRUE;
+			use_natt = TRUE;
+			use_force_natt = TRUE;				
 		}
 	}
 
@@ -1282,6 +1303,7 @@ export (NMVpnPluginUiInterface *iface,
 		 "SingleDES=%s\n"
 		 "SPPhonebook=\n"
 		 "X-NM-Use-NAT-T=%s\n"
+		 "X-NM-Use-Force-NAT-T=%s\n"
 		 "%s\n",
 		 /* Description */   nm_setting_connection_get_id (s_con),
 		 /* Host */          gateway,
@@ -1294,6 +1316,7 @@ export (NMVpnPluginUiInterface *iface,
 		 /* PeerTimeout */   peertimeout != NULL ? peertimeout : "0",
 		 /* SingleDES */     singledes ? "1" : "0",
 		 /* X-NM-Use-NAT-T */ use_natt ? "1" : "0",
+		 /* X-NM-Use-Force-NAT-T */ use_force_natt ? "1" : "0",
 		 /* X-NM-Routes */   (routes && routes->str) ? routes->str : "");
 
 	success = TRUE;
diff --git a/src/nm-vpnc-service.c b/src/nm-vpnc-service.c
index ddf1bdb..4d6d041 100644
--- a/src/nm-vpnc-service.c
+++ b/src/nm-vpnc-service.c
@@ -433,6 +433,12 @@ nm_vpnc_config_write (gint vpnc_fd,
 		                     NM_VPNC_KEY_NAT_TRAVERSAL_MODE " %s\n",
 		                     NM_VPNC_NATT_MODE_CISCO);
 	}
+	/* Use force-natt is chosen */
+	if (props_natt_mode && (!strcmp(props_natt_mode, NM_VPNC_NATT_MODE_ALWAYS))) {
+		write_config_option (vpnc_fd,
+				     NM_VPNC_KEY_NAT_TRAVERSAL_MODE " %s\n",
+				     NM_VPNC_NATT_MODE_ALWAYS);
+	}
 
 	info = g_malloc0 (sizeof (WriteConfigInfo));
 	info->fd = vpnc_fd;
diff --git a/src/nm-vpnc-service.h b/src/nm-vpnc-service.h
index d8d6891..174e6b1 100644
--- a/src/nm-vpnc-service.h
+++ b/src/nm-vpnc-service.h
@@ -57,6 +57,7 @@
 
 #define NM_VPNC_NATT_MODE_NATT "natt"
 #define NM_VPNC_NATT_MODE_NONE "none"
+#define NM_VPNC_NATT_MODE_ALWAYS "force-natt"
 #define NM_VPNC_NATT_MODE_CISCO "cisco-udp"
 
 #define NM_VPNC_PW_TYPE_SAVE   "save"

Follow-Ups:
- Re: Vpnc pluggin needs "force-natt" option.
  - From: Dan Williams

References:
- Vpnc pluggin needs "force-natt" option.
  - From: Michael H. Warfield
- Re: Vpnc pluggin needs "force-natt" option.
  - From: Dan Williams

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]