--- vpnc-0.4.0.orig/debian/patches/06_stolen_from_head.dpatch +++ vpnc-0.4.0/debian/patches/06_stolen_from_head.dpatch @@ -0,0 +1,1026 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 06_stolen_from_head.dpatch by Eduard Bloch +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad vpnc~/TODO vpnc/TODO +--- vpnc~/TODO 2007-02-19 22:33:09.000000000 +0100 ++++ vpnc/TODO 2007-03-11 19:14:21.000000000 +0100 +@@ -1,7 +1,5 @@ + TODO list + +-* --local-address +- + * clean up scripts + - config-support for vpnc-script + - customizable handling of routing +@@ -17,7 +15,7 @@ + - get a rid of remaining (non-const) global variables + + * implement phase1 rekeying (with or without xauth-reauthentication) +-* implement DPD, RFC3 706 Dead Peer Detection ++* implement DPD, RFC 3706 Dead Peer Detection + * implement compression + * try a list of gateways (backup server) + +@@ -28,6 +26,7 @@ + + * research: + - usernames containing "@" unable to login ++ - amd64 somehow broken? + - ipsec over tcp + - nortel support? + +@@ -51,6 +50,7 @@ + + ---- + ++* DONE --local-address + * DONE implement phase2 rekeying + * DONE support rsa-SecurID token which sometimes needs 2 IDs + * DONE add macosx support +diff -urNad vpnc~/config.c vpnc/config.c +--- vpnc~/config.c 2007-02-19 22:32:32.000000000 +0100 ++++ vpnc/config.c 2007-03-11 19:14:21.000000000 +0100 +@@ -219,6 +219,11 @@ + return "server"; + } + ++static const char *config_def_local_addr(void) ++{ ++ return "0.0.0.0"; ++} ++ + static const char *config_def_local_port(void) + { + return "500"; +@@ -453,6 +458,13 @@ + "store the pid of background process in ", + config_def_pid_file + }, { ++ CONFIG_LOCAL_ADDR, 1, 1, ++ "--local-addr", ++ "Local Addr ", ++ "", ++ "local IP to use for ISAKMP / ESP / ... (0.0.0.0 == automatically assign)", ++ config_def_local_addr ++ }, { + CONFIG_LOCAL_PORT, 1, 1, + "--local-port", + "Local Port ", +diff -urNad vpnc~/config.h vpnc/config.h +--- vpnc~/config.h 2007-02-19 22:32:32.000000000 +0100 ++++ vpnc/config.h 2007-03-11 19:14:21.000000000 +0100 +@@ -36,6 +36,7 @@ + CONFIG_ND, + CONFIG_NON_INTERACTIVE, + CONFIG_PID_FILE, ++ CONFIG_LOCAL_ADDR, + CONFIG_LOCAL_PORT, + CONFIG_VERSION, + CONFIG_IF_NAME, +diff -urNad vpnc~/isakmp.h vpnc/isakmp.h +--- vpnc~/isakmp.h 2007-02-19 22:32:32.000000000 +0100 ++++ vpnc/isakmp.h 2007-03-11 19:14:21.000000000 +0100 +@@ -103,6 +103,8 @@ + ISAKMP_N_IPSEC_RESPONDER_LIFETIME = 24576, + ISAKMP_N_IPSEC_REPLAY_STATUS, + ISAKMP_N_IPSEC_INITIAL_CONTACT, ++ ISAKMP_N_R_U_THERE = 36136, ++ ISAKMP_N_R_U_THERE_ACK, + ISAKMP_N_CISCO_LOAD_BALANCE = 40501 + }; + +@@ -332,34 +334,18 @@ + #define ISAKMP_MESSAGE_ID_O 20 + #define ISAKMP_PAYLOAD_O 28 + +-/* Support for draft-ietf-ipsec-isakmp-xauth-06.txt (yuk). */ +-#define XAUTH_VENDOR_ID { 0x09, 0x00, 0x26, 0x89, 0xDF, 0xD6, 0xB7, 0x12 } +-/* From dead-peer-detection RFC 3706 */ +-#define DPD_VENDOR_ID { 0xAF, 0xCA, 0xD7, 0x13, 0x68, 0xA1, 0xF1, 0xC9, \ +- 0x6B, 0x86, 0x96, 0xFC, 0x77, 0x57, 0x01, 0x00} +-#define UNITY_VENDOR_ID { 0x12, 0xF5, 0xF2, 0x8C, 0x45, 0x71, 0x68, 0xA9, \ +- 0x70, 0x2D, 0x9F, 0xE2, 0x74, 0xCC, 0x01, 0x00 } +-#define UNKNOWN_VENDOR_ID { 0x12, 0x6E, 0x1F, 0x57, 0x72, 0x91, 0x15, 0x3B, \ +- 0x20, 0x48, 0x5F, 0x7F, 0x15, 0x5B, 0x4B, 0xC8 } +- +-/* draft-ietf-ipsec-nat-t-ike-00 */ +-#define NATT_VENDOR_ID_00 { 0x44, 0x85, 0x15, 0x2d, 0x18, 0xb6, 0xbb, 0xcd, \ +- 0x0b, 0xe8, 0xa8, 0x46, 0x95, 0x79, 0xdd, 0xcc } +-/* draft-ietf-ipsec-nat-t-ike-01 */ +-#define NATT_VENDOR_ID_01 { 0x16, 0xf6, 0xca, 0x16, 0xe4, 0xa4, 0x06, 0x6d, \ +- 0x83, 0x82, 0x1a, 0x0f, 0x0a, 0xea, 0xa8, 0x62 } +-/* draft-ietf-ipsec-nat-t-ike-02 */ +-#define NATT_VENDOR_ID_02 { 0xcd, 0x60, 0x46, 0x43, 0x35, 0xdf, 0x21, 0xf8, \ +- 0x7c, 0xfd, 0xb2, 0xfc, 0x68, 0xb6, 0xa4, 0x48 } +-/* draft-ietf-ipsec-nat-t-ike-02\n */ +-#define NATT_VENDOR_ID_02n { 0x90, 0xCB, 0x80, 0x91, 0x3E, 0xBB, 0x69, 0x6E, \ +- 0x08, 0x63, 0x81, 0xB5, 0xEC, 0x42, 0x7B, 0x1F } +-/* RFC 3947 */ +-#define NATT_VENDOR_ID_RFC { 0x4A, 0x13, 0x1C, 0x81, 0x07, 0x03, 0x58, 0x45, \ +- 0x5C, 0x57, 0x28, 0xF2, 0x0E, 0x95, 0x45, 0x2F } ++/* defined in vpnc.c */ ++extern const unsigned char VID_XAUTH[]; ++extern const unsigned char VID_DPD[]; ++extern const unsigned char VID_UNITY[]; ++extern const unsigned char VID_UNKNOWN[]; ++extern const unsigned char VID_NATT_00[]; ++extern const unsigned char VID_NATT_01[]; ++extern const unsigned char VID_NATT_02[]; ++extern const unsigned char VID_NATT_02N[]; ++extern const unsigned char VID_NATT_RFC[]; + + /* Support for draft-ietf-ipsec-isakmp-mode-cfg-05.txt (yuk). */ +- + enum isakmp_modecfg_cfg_enum { + ISAKMP_MODECFG_CFG_REQUEST = 1, + ISAKMP_MODECFG_CFG_REPLY, +diff -urNad vpnc~/sysdep.c vpnc/sysdep.c +--- vpnc~/sysdep.c 2007-02-19 22:33:09.000000000 +0100 ++++ vpnc/sysdep.c 2007-03-11 19:14:21.000000000 +0100 +@@ -314,9 +314,9 @@ + return -1; + } + +- // +- // Return fd +- // ++ /* ++ * Return fd ++ */ + return cygwin_attach_handle_to_fd(NULL, -1, handle, 1, GENERIC_READ | GENERIC_WRITE); + } + +diff -urNad vpnc~/sysdep.h vpnc/sysdep.h +--- vpnc~/sysdep.h 2007-02-19 22:33:09.000000000 +0100 ++++ vpnc/sysdep.h 2007-03-11 19:14:21.000000000 +0100 +@@ -36,7 +36,7 @@ + int tun_get_hwaddr(int fd, char *dev, uint8_t *hwaddr); + + /***************************************************************************/ +-#if defined(__linux__) ++#if defined(__linux__) || defined(__GLIBC__) + #include + + #define HAVE_VASPRINTF 1 +@@ -72,6 +72,11 @@ + #endif + + /***************************************************************************/ ++#if defined(__FreeBSD_kernel__) ++#define HAVE_SA_LEN 1 ++#endif ++ ++/***************************************************************************/ + #if defined(__FreeBSD__) + #define HAVE_SA_LEN 1 + +diff -urNad vpnc~/tap-win32.h vpnc/tap-win32.h +--- vpnc~/tap-win32.h 2007-02-19 22:33:09.000000000 +0100 ++++ vpnc/tap-win32.h 2007-03-11 19:14:21.000000000 +0100 +@@ -29,20 +29,20 @@ + * 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +-//=============================================== +-// This file is included both by OpenVPN and +-// the TAP-Win32 driver and contains definitions +-// common to both. +-//=============================================== ++/* =============================================== ++ This file is included both by OpenVPN and ++ the TAP-Win32 driver and contains definitions ++ common to both. ++ =============================================== */ + +-//============= +-// TAP IOCTLs +-//============= ++/* ============= ++ TAP IOCTLs ++ ============= */ + + #define TAP_CONTROL_CODE(request,method) \ + CTL_CODE (FILE_DEVICE_UNKNOWN, request, method, FILE_ANY_ACCESS) + +-// Present in 8.1 ++/* Present in 8.1 */ + + #define TAP_IOCTL_GET_MAC TAP_CONTROL_CODE (1, METHOD_BUFFERED) + #define TAP_IOCTL_GET_VERSION TAP_CONTROL_CODE (2, METHOD_BUFFERED) +@@ -54,32 +54,32 @@ + #define TAP_IOCTL_GET_LOG_LINE TAP_CONTROL_CODE (8, METHOD_BUFFERED) + #define TAP_IOCTL_CONFIG_DHCP_SET_OPT TAP_CONTROL_CODE (9, METHOD_BUFFERED) + +-// Added in 8.2 ++/* Added in 8.2 */ + + /* obsoletes TAP_IOCTL_CONFIG_POINT_TO_POINT */ + #define TAP_IOCTL_CONFIG_TUN TAP_CONTROL_CODE (10, METHOD_BUFFERED) + +-//================= +-// Registry keys +-//================= ++/* ================= ++ Registry keys ++ ================= */ + + #define ADAPTER_KEY "SYSTEM\\CurrentControlSet\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002BE10318}" + + #define NETWORK_CONNECTIONS_KEY "SYSTEM\\CurrentControlSet\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}" + +-//====================== +-// Filesystem prefixes +-//====================== ++/* ====================== ++ Filesystem prefixes ++ ====================== */ + + #define USERMODEDEVICEDIR "\\\\.\\Global\\" + #define SYSDEVICEDIR "\\Device\\" + #define USERDEVICEDIR "\\DosDevices\\Global\\" + #define TAPSUFFIX ".tap" + +-//========================================================= +-// TAP_COMPONENT_ID -- This string defines the TAP driver +-// type -- different component IDs can reside in the system +-// simultaneously. +-//========================================================= ++/* ========================================================= ++ TAP_COMPONENT_ID -- This string defines the TAP driver ++ type -- different component IDs can reside in the system ++ simultaneously. ++ ========================================================= */ + + #define TAP_COMPONENT_ID "tap0801" +diff -urNad vpnc~/tunip.c vpnc/tunip.c +--- vpnc~/tunip.c 2007-02-19 22:33:09.000000000 +0100 ++++ vpnc/tunip.c 2007-03-11 19:14:21.000000000 +0100 +@@ -781,17 +781,20 @@ + fd_set rfds, refds; + int nfds=0; + int enable_keepalives; ++ int timed_mode; + ssize_t len; +- struct timeval select_timeout = { .tv_sec = 9, .tv_usec = 500000 }; ++ struct timeval select_timeout; ++ struct timeval normal_timeout; + time_t next_ike_keepalive=0; ++ time_t next_ike_dpd=0; + #if defined(__CYGWIN__) + pthread_t tid; + #endif + + /* non-esp marker, nat keepalive payload (0xFF) */ +- char keepalive_v2[5] = { 0x00, 0x00, 0x00, 0x00, 0xFF }; +- char keepalive_v1[1] = { 0xFF }; +- char *keepalive; ++ uint8_t keepalive_v2[5] = { 0x00, 0x00, 0x00, 0x00, 0xFF }; ++ uint8_t keepalive_v1[1] = { 0xFF }; ++ uint8_t *keepalive; + size_t keepalive_size; + + if (s->ipsec.natt_active_mode == NATT_ACTIVE_DRAFT_OLD) { +@@ -805,6 +808,9 @@ + /* send keepalives if UDP encapsulation is enabled */ + enable_keepalives = (s->ipsec.encap_mode != IPSEC_ENCAP_TUNNEL); + ++ /* regular wakeups if keepalives on ike or dpd active */ ++ timed_mode = ((enable_keepalives && s->ike_fd != s->esp_fd) || s->ike.do_dpd); ++ + FD_ZERO(&rfds); + + #if !defined(__CYGWIN__) +@@ -827,34 +833,64 @@ + } + #endif + ++ normal_timeout.tv_sec = 86400; ++ normal_timeout.tv_usec = 0; ++ ++ if (s->ike.do_dpd) { ++ /* send initial dpd request */ ++ next_ike_dpd = time(NULL) + 300; ++ dpd_ike(s); ++ normal_timeout.tv_sec = 300; ++ normal_timeout.tv_usec = 0; ++ } ++ + if (enable_keepalives && s->ike_fd != s->esp_fd) { + /* send initial nat ike keepalive packet */ + next_ike_keepalive = time(NULL) + 9; + keepalive_ike(s); ++ normal_timeout.tv_sec = 9; ++ normal_timeout.tv_usec = 500000; + } +- ++ ++ select_timeout = normal_timeout; ++ + while (!do_kill) { + int presult; + + do { + struct timeval *tvp = NULL; + FD_COPY(&rfds, &refds); +- if (enable_keepalives) ++ if (s->ike.do_dpd || enable_keepalives) + tvp = &select_timeout; + presult = select(nfds, &refds, NULL, NULL, tvp); +- if (presult == 0 && enable_keepalives) { +- if (s->ike_fd != s->esp_fd) { +- /* send nat ike keepalive packet */ +- next_ike_keepalive = time(NULL) + 9; +- keepalive_ike(s); ++ if (presult == 0 && (s->ike.do_dpd || enable_keepalives)) { ++ /* reset to max timeout */ ++ select_timeout = normal_timeout; ++ if (enable_keepalives) { ++ if (s->ike_fd != s->esp_fd) { ++ /* send nat ike keepalive packet */ ++ next_ike_keepalive = time(NULL) + 9; ++ keepalive_ike(s); ++ } ++ /* send nat keepalive packet */ ++ if (send(s->esp_fd, keepalive, keepalive_size, 0) == -1) { ++ syslog(LOG_ERR, "sendto: %m"); ++ } + } +- /* send nat keepalive packet */ +- if (send(s->esp_fd, keepalive, keepalive_size, 0) == -1) { +- syslog(LOG_ERR, "sendto: %m"); ++ if (s->ike.do_dpd) { ++ time_t now = time(NULL); ++ if (s->ike.dpd_seqno != s->ike.dpd_seqno_ack) { ++ /* Wake up more often for dpd attempts */ ++ select_timeout.tv_sec = 5; ++ select_timeout.tv_usec = 0; ++ dpd_ike(s); ++ next_ike_dpd = now + 300; ++ } ++ else if (now >= next_ike_dpd) { ++ dpd_ike(s); ++ next_ike_dpd = now + 300; ++ } + } +- /* reset to max timeout */ +- select_timeout.tv_sec = 9; +- select_timeout.tv_usec = 500000; + } + DEBUG(2,printf("lifetime status: %ld of %u seconds used, %u|%u of %u kbytes used\n", + time(NULL) - s->ipsec.life.start, +@@ -893,30 +929,52 @@ + #endif + } + +- if (enable_keepalives && s->ike_fd != s->esp_fd) { +- time_t cur_time = time(NULL); +- if (cur_time >= next_ike_keepalive) { +- /* send nat ike keepalive packet now */ +- next_ike_keepalive = cur_time + 9; +- keepalive_ike(s); +- /* reset to max timeout */ +- select_timeout.tv_sec = 9; +- select_timeout.tv_usec = 500000; ++ if (timed_mode) { ++ time_t now = time(NULL); ++ time_t next_up = now + 86400; ++ if (enable_keepalives && s->ike_fd != s->esp_fd) { ++ if (now >= next_ike_keepalive) { ++ /* send nat ike keepalive packet now */ ++ next_ike_keepalive = now + 9; ++ keepalive_ike(s); ++ select_timeout = normal_timeout; ++ } ++ if (next_ike_keepalive < next_up) ++ next_up = next_ike_keepalive; + } +- else { +- /* Reduce timeout so next ike keepalive goes on schedule */ +- select_timeout.tv_sec = next_ike_keepalive - cur_time; +- select_timeout.tv_usec = 0; ++ if (s->ike.do_dpd) { ++ if (s->ike.dpd_seqno != s->ike.dpd_seqno_ack) { ++ dpd_ike(s); ++ next_ike_dpd = now + 300; ++ if (now + 5 < next_up) ++ next_up = now + 5; ++ } ++ else if (now >= next_ike_dpd) { ++ dpd_ike(s); ++ next_ike_dpd = now + 300; ++ } ++ if (next_ike_dpd < next_up) ++ next_up = next_ike_dpd; + } ++ /* Reduce timeout so next activity happens on schedule */ ++ select_timeout.tv_sec = next_up - now; ++ select_timeout.tv_usec = 0; + } + + } + + tun_close(s->tun_fd, s->tun_name); +- if (do_kill == -1) +- syslog(LOG_NOTICE, "connection terminated by peer"); +- else +- syslog(LOG_NOTICE, "terminated by signal: %d", do_kill); ++ switch (do_kill) { ++ case -2: ++ syslog(LOG_NOTICE, "connection terminated by dead peer detection"); ++ break; ++ case -1: ++ syslog(LOG_NOTICE, "connection terminated by peer"); ++ break; ++ default: ++ syslog(LOG_NOTICE, "terminated by signal: %d", do_kill); ++ break; ++ } + } + + static void killit(int signum) +diff -urNad vpnc~/tunip.h vpnc/tunip.h +--- vpnc~/tunip.h 2007-02-19 22:32:32.000000000 +0100 ++++ vpnc/tunip.h 2007-03-11 19:14:21.000000000 +0100 +@@ -23,6 +23,7 @@ + + #include "isakmp.h" + ++#include + #include + + struct lifetime { +@@ -74,6 +75,8 @@ + int esp_fd; /* raw socket for ip-esp or Cisco-UDP or ike_fd (NAT-T) */ + + struct { ++ int timeout; ++ uint8_t *resend_hash; + uint16_t src_port, dst_port; + uint8_t i_cookie[ISAKMP_COOKIE_LENGTH]; + uint8_t r_cookie[ISAKMP_COOKIE_LENGTH]; +@@ -88,6 +91,11 @@ + uint8_t current_iv_msgid[4]; + uint8_t *current_iv; + struct lifetime life; ++ int do_dpd; ++ uint32_t dpd_seqno; ++ uint32_t dpd_seqno_ack; ++ time_t dpd_sent; ++ unsigned int dpd_attempts; + } ike; + uint8_t our_address[4], our_netmask[4]; + struct { +diff -urNad vpnc~/vpnc-script vpnc/vpnc-script +--- vpnc~/vpnc-script 2007-03-11 18:47:45.000000000 +0100 ++++ vpnc/vpnc-script 2007-03-11 19:14:21.000000000 +0100 +@@ -95,6 +95,10 @@ + if [ ! -e /dev/tun ]; then + kldload if_tun + fi ++ elif [ "$OS" = "GNU/kFreeBSD" ]; then ++ if [ ! -e /dev/tun ]; then ++ kldload if_tun ++ fi + elif [ "$OS" = "NetBSD" ]; then + : + elif [ "$OS" = "OpenBSD" ]; then +@@ -261,17 +265,33 @@ + ;; + # 10.4 and later require use of scutil for DNS to work properly + *) ++ OVERRIDE_PRIMARY="" ++ if [ -n "$CISCO_SPLIT_INC" ]; then ++ if [ $CISCO_SPLIT_INC -lt 1 ]; then ++ # Must override for correct default route ++ # Cannot use multiple DNS matching in this case ++ OVERRIDE_PRIMARY='d.add OverridePrimary # 1' ++ fi ++ fi ++ # Uncomment the following if/fi pair to use multiple ++ # DNS matching when available. When multiple DNS matching ++ # is present, anything reading the /etc/resolv.conf file ++ # directly will probably not work as intended. ++ #if [ -z "$CISCO_DEF_DOMAIN" ]; then ++ # Cannot use multiple DNS matching without a domain ++ OVERRIDE_PRIMARY='d.add OverridePrimary # 1' ++ #fi + scutil >/dev/null 2>&1 <<-EOF + open + d.init + d.add ServerAddresses * $INTERNAL_IP4_DNS + set State:/Network/Service/$TUNDEV/DNS +- get State:/Network/Global/IPv4 +- d.remove PrimaryService +- d.remove PrimaryInterface ++ d.init ++ d.add Router $INTERNAL_IP4_ADDRESS + d.add Addresses * $INTERNAL_IP4_ADDRESS + d.add SubnetMasks * 255.255.255.255 + d.add InterfaceName $TUNDEV ++ $OVERRIDE_PRIMARY + set State:/Network/Service/$TUNDEV/IPv4 + close + EOF +@@ -286,20 +306,6 @@ + close + EOF + fi +- # Uncomment the following if/fi pair to use multiple +- # DNS matching when available. When multiple DNS matching +- # is present, anything reading the /etc/resolv.conf file +- # directly will probably not work as intended. +- #if [ -z "$CISCO_DEF_DOMAIN" ]; then +- # Cannot use multiple DNS matching without a domain +- scutil >/dev/null 2>&1 <<-EOF +- open +- get State:/Network/Service/$TUNDEV/IPv4 +- d.add OverridePrimary # 1 +- set State:/Network/Service/$TUNDEV/IPv4 +- close +- EOF +- #fi + ;; + esac + fi +diff -urNad vpnc~/vpnc.c vpnc/vpnc.c +--- vpnc~/vpnc.c 2007-02-19 22:33:09.000000000 +0100 ++++ vpnc/vpnc.c 2007-03-11 19:14:21.000000000 +0100 +@@ -50,9 +50,44 @@ + #include "supp.h" + + #define ISAKMP_PORT (500) ++#define ISAKMP_PORT_NATT (4500) ++ ++const unsigned char VID_XAUTH[] = { /* draft-ietf-ipsec-isakmp-xauth-06.txt */ ++ 0x09, 0x00, 0x26, 0x89, 0xDF, 0xD6, 0xB7, 0x12 ++}; ++const unsigned char VID_DPD[] = { /* Dead Peer Detection, RFC 3706 */ ++ 0xAF, 0xCA, 0xD7, 0x13, 0x68, 0xA1, 0xF1, 0xC9, ++ 0x6B, 0x86, 0x96, 0xFC, 0x77, 0x57, 0x01, 0x00 ++}; ++const unsigned char VID_UNITY[] = { ++ 0x12, 0xF5, 0xF2, 0x8C, 0x45, 0x71, 0x68, 0xA9, ++ 0x70, 0x2D, 0x9F, 0xE2, 0x74, 0xCC, 0x01, 0x00 ++}; ++const unsigned char VID_UNKNOWN[] = { ++ 0x12, 0x6E, 0x1F, 0x57, 0x72, 0x91, 0x15, 0x3B, ++ 0x20, 0x48, 0x5F, 0x7F, 0x15, 0x5B, 0x4B, 0xC8 ++}; ++const unsigned char VID_NATT_00[] = { /* draft-ietf-ipsec-nat-t-ike-00 */ ++ 0x44, 0x85, 0x15, 0x2d, 0x18, 0xb6, 0xbb, 0xcd, ++ 0x0b, 0xe8, 0xa8, 0x46, 0x95, 0x79, 0xdd, 0xcc ++}; ++const unsigned char VID_NATT_01[] = { /* draft-ietf-ipsec-nat-t-ike-01 */ ++ 0x16, 0xf6, 0xca, 0x16, 0xe4, 0xa4, 0x06, 0x6d, ++ 0x83, 0x82, 0x1a, 0x0f, 0x0a, 0xea, 0xa8, 0x62 ++}; ++const unsigned char VID_NATT_02[] = { /* draft-ietf-ipsec-nat-t-ike-02 */ ++ 0xcd, 0x60, 0x46, 0x43, 0x35, 0xdf, 0x21, 0xf8, ++ 0x7c, 0xfd, 0xb2, 0xfc, 0x68, 0xb6, 0xa4, 0x48 ++}; ++const unsigned char VID_NATT_02N[] = { /* draft-ietf-ipsec-nat-t-ike-02\n */ ++ 0x90, 0xCB, 0x80, 0x91, 0x3E, 0xBB, 0x69, 0x6E, ++ 0x08, 0x63, 0x81, 0xB5, 0xEC, 0x42, 0x7B, 0x1F ++}; ++const unsigned char VID_NATT_RFC[] = { /* RFC 3947 */ ++ 0x4A, 0x13, 0x1C, 0x81, 0x07, 0x03, 0x58, 0x45, ++ 0x5C, 0x57, 0x28, 0xF2, 0x0E, 0x95, 0x45, 0x2F ++}; + +-static int timeout = 1000; /* 1 second */ +-static uint8_t *resend_hash = NULL; + + static uint8_t r_packet[2048]; + static ssize_t r_length; +@@ -101,7 +136,7 @@ + name.sin_addr = s->opt_src_ip; + name.sin_port = htons(src_port); + if (bind(sock, (struct sockaddr *)&name, sizeof(name)) < 0) +- error(1, errno, "binding to %s:%d", inet_ntoa(s->opt_src_ip), ntohs(src_port)); ++ error(1, errno, "binding to %s:%d", inet_ntoa(s->opt_src_ip), src_port); + + /* connect the socket */ + name.sin_family = AF_INET; +@@ -177,14 +212,14 @@ + hash_len = gcry_md_get_algo_dlen(GCRY_MD_SHA1); + resend_check_hash = malloc(hash_len); + gcry_md_hash_buffer(GCRY_MD_SHA1, resend_check_hash, recvbuf, recvsize); +- if (resend_hash && memcmp(resend_hash, resend_check_hash, hash_len) == 0) { ++ if (s->ike.resend_hash && memcmp(s->ike.resend_hash, resend_check_hash, hash_len) == 0) { + free(resend_check_hash); + return -1; + } +- if (!resend_hash) { +- resend_hash = resend_check_hash; ++ if (!s->ike.resend_hash) { ++ s->ike.resend_hash = resend_check_hash; + } else { +- memcpy(resend_hash, resend_check_hash, hash_len); ++ memcpy(s->ike.resend_hash, resend_check_hash, hash_len); + free(resend_check_hash); + } + +@@ -228,7 +263,7 @@ + break; + + do { +- pollresult = poll(&pfd, 1, timeout << tries); ++ pollresult = poll(&pfd, 1, s->ike.timeout << tries); + } while (pollresult == -1 && errno == EINTR); + + if (pollresult == -1) +@@ -259,10 +294,10 @@ + + /* Wait at least 2s for a response or 4 times the time it took + * last time. */ +- if (start == end) +- timeout = 2000; ++ if (start >= end) ++ s->ike.timeout = 2000; + else +- timeout = 4000 * (end - start); ++ s->ike.timeout = 4000 * (end - start); + + return recvsize; + } +@@ -500,12 +535,93 @@ + } + } + ++static void send_phase2_late(struct sa_block *s, struct isakmp_payload *pl, ++ uint8_t exchange_type, uint32_t msgid) ++{ ++ struct isakmp_packet *p; ++ uint8_t *p_flat; ++ size_t p_size; ++ ssize_t recvlen; ++ ++ /* Build up the packet. */ ++ p = new_isakmp_packet(); ++ memcpy(p->i_cookie, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH); ++ memcpy(p->r_cookie, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH); ++ p->flags = ISAKMP_FLAG_E; ++ p->isakmp_version = ISAKMP_VERSION; ++ p->exchange_type = exchange_type; ++ p->message_id = msgid; ++ p->payload = pl; ++ ++ flatten_isakmp_packet(p, &p_flat, &p_size, s->ike.ivlen); ++ free_isakmp_packet(p); ++ isakmp_crypt(s, p_flat, p_size, 1); ++ ++ s->ike.life.tx += p_size; ++ ++ recvlen = sendrecv(s, NULL, 0, p_flat, p_size, 1); ++ free(p_flat); ++} ++ + void keepalive_ike(struct sa_block *s) + { + uint32_t msgid; + + gcry_create_nonce((uint8_t *) & msgid, sizeof(msgid)); +- sendrecv_phase2(s, NULL, ISAKMP_EXCHANGE_INFORMATIONAL, msgid, 1, 0, 0, 0, 0, 0, 0); ++ send_phase2_late(s, NULL, ISAKMP_EXCHANGE_INFORMATIONAL, msgid); ++} ++ ++static void send_dpd(struct sa_block *s, int isack, uint32_t seqno) ++{ ++ struct isakmp_payload *pl; ++ uint32_t msgid; ++ ++ pl = new_isakmp_payload(ISAKMP_PAYLOAD_N); ++ pl->u.n.doi = ISAKMP_DOI_IPSEC; ++ pl->u.n.protocol = ISAKMP_IPSEC_PROTO_ISAKMP; ++ pl->u.n.type = isack ? ISAKMP_N_R_U_THERE_ACK : ISAKMP_N_R_U_THERE; ++ pl->u.n.spi_length = 2 * ISAKMP_COOKIE_LENGTH; ++ pl->u.n.spi = xallocc(2 * ISAKMP_COOKIE_LENGTH); ++ memcpy(pl->u.n.spi + ISAKMP_COOKIE_LENGTH * 0, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH); ++ memcpy(pl->u.n.spi + ISAKMP_COOKIE_LENGTH * 1, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH); ++ pl->u.n.data_length = 4; ++ pl->u.n.data = xallocc(4); ++ memcpy(pl->u.n.data, &seqno, 4); ++ gcry_create_nonce((uint8_t *) & msgid, sizeof(msgid)); ++ send_phase2_late(s, pl, ISAKMP_EXCHANGE_INFORMATIONAL, msgid); ++} ++ ++void dpd_ike(struct sa_block *s) ++{ ++ if (!s->ike.do_dpd) ++ return; ++ ++ if (s->ike.dpd_seqno == s->ike.dpd_seqno_ack) { ++ /* Increase the sequence number, reset the attempts to 6, record ++ ** the current time and send a dpd request ++ */ ++ s->ike.dpd_attempts = 6; ++ s->ike.dpd_sent = time(NULL); ++ ++s->ike.dpd_seqno; ++ send_dpd(s, 0, s->ike.dpd_seqno); ++ } else { ++ /* Our last dpd request has not yet been acked. If it's been ++ ** less than 5 seconds since we sent it do nothing. Otherwise ++ ** decrement dpd_attempts. If dpd_attempts is 0 dpd fails and we ++ ** terminate otherwise we send it again with the same sequence ++ ** number and record current time. ++ */ ++ time_t now = time(NULL); ++ if (now < s->ike.dpd_sent + 5) ++ return; ++ if (--s->ike.dpd_attempts == 0) { ++ DEBUG(2, printf("dead peer detected, terminating\n")); ++ do_kill = -2; ++ return; ++ } ++ s->ike.dpd_sent = now; ++ send_dpd(s, 0, s->ike.dpd_seqno); ++ } + } + + static void phase2_fatal(struct sa_block *s, const char *msg, int id) +@@ -858,28 +974,12 @@ + s->ipsec.life.kbytes = value; + } + +-static void do_phase_1(const char *key_id, const char *shared_key, struct sa_block *s) ++static void do_phase1(const char *key_id, const char *shared_key, struct sa_block *s) + { + unsigned char i_nonce[20]; + struct group *dh_grp; + unsigned char *dh_public; + unsigned char *returned_hash; +- static const uint8_t xauth_vid[] = XAUTH_VENDOR_ID; +- static const uint8_t unity_vid[] = UNITY_VENDOR_ID; +- static const uint8_t unknown_vid[] = UNKNOWN_VENDOR_ID; +- /* NAT traversal */ +- static const uint8_t natt_vid_00[] = NATT_VENDOR_ID_00; +- static const uint8_t natt_vid_01[] = NATT_VENDOR_ID_01; +- static const uint8_t natt_vid_02[] = NATT_VENDOR_ID_02; +- static const uint8_t natt_vid_02n[] = NATT_VENDOR_ID_02n; +- static const uint8_t natt_vid_rfc[] = NATT_VENDOR_ID_RFC; +-#if 0 +- static const uint8_t dpd_vid[] = DPD_VENDOR_ID; /* dead peer detection */ +- static const uint8_t my_vid[] = { +- 0x35, 0x53, 0x07, 0x6c, 0x4f, 0x65, 0x12, 0x68, 0x02, 0x82, 0xf2, 0x15, +- 0x8a, 0xa8, 0xa0, 0x9e +- }; +-#endif + + struct isakmp_packet *p1; + int seen_natt_vid = 0, seen_natd = 0, seen_natd_them = 0, seen_natd_us = 0, natd_type = 0; +@@ -927,30 +1027,28 @@ + else + l->u.id.type = ISAKMP_IPSEC_ID_USER_FQDN; + l->u.id.protocol = IPPROTO_UDP; +- l->u.id.port = 500; /* this must be 500, not local_port */ ++ l->u.id.port = ISAKMP_PORT; /* this must be 500, not local_port */ + l->u.id.length = strlen(key_id); + l->u.id.data = xallocc(l->u.id.length); + memcpy(l->u.id.data, key_id, strlen(key_id)); + l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID, +- xauth_vid, sizeof(xauth_vid)); ++ VID_XAUTH, sizeof(VID_XAUTH)); + l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID, +- unity_vid, sizeof(unity_vid)); ++ VID_UNITY, sizeof(VID_UNITY)); + if ((opt_natt_mode == NATT_NORMAL) || (opt_natt_mode == NATT_FORCE)) { + l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID, +- natt_vid_rfc, sizeof(natt_vid_rfc)); ++ VID_NATT_RFC, sizeof(VID_NATT_RFC)); + l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID, +- natt_vid_02n, sizeof(natt_vid_02n)); ++ VID_NATT_02N, sizeof(VID_NATT_02N)); + l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID, +- natt_vid_02, sizeof(natt_vid_02)); ++ VID_NATT_02, sizeof(VID_NATT_02)); + l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID, +- natt_vid_01, sizeof(natt_vid_01)); ++ VID_NATT_01, sizeof(VID_NATT_01)); + l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID, +- natt_vid_00, sizeof(natt_vid_00)); ++ VID_NATT_00, sizeof(VID_NATT_00)); + } +-#if 0 + l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID, +- dpd_vid, sizeof(dpd_vid)); +-#endif ++ VID_DPD, sizeof(VID_DPD)); + flatten_isakmp_packet(p1, &pkt, &pkt_len, 0); + + /* Now, send that packet and receive a new one. */ +@@ -1127,40 +1225,48 @@ + hash = rp; + break; + case ISAKMP_PAYLOAD_VID: +- if (rp->u.vid.length == sizeof(xauth_vid) +- && memcmp(rp->u.vid.data, xauth_vid, +- sizeof(xauth_vid)) == 0) { ++ if (rp->u.vid.length == sizeof(VID_XAUTH) ++ && memcmp(rp->u.vid.data, VID_XAUTH, ++ sizeof(VID_XAUTH)) == 0) { + seen_xauth_vid = 1; +- } else if (rp->u.vid.length == sizeof(natt_vid_rfc) +- && memcmp(rp->u.vid.data, natt_vid_rfc, +- sizeof(natt_vid_rfc)) == 0) { ++ } else if (rp->u.vid.length == sizeof(VID_NATT_RFC) ++ && memcmp(rp->u.vid.data, VID_NATT_RFC, ++ sizeof(VID_NATT_RFC)) == 0) { + seen_natt_vid = 1; + if (natt_draft < 1) natt_draft = 2; + DEBUG(2, printf("peer is NAT-T capable (RFC 3947)\n")); +- } else if (rp->u.vid.length == sizeof(natt_vid_02n) +- && memcmp(rp->u.vid.data, natt_vid_02n, +- sizeof(natt_vid_02n)) == 0) { ++ } else if (rp->u.vid.length == sizeof(VID_NATT_02N) ++ && memcmp(rp->u.vid.data, VID_NATT_02N, ++ sizeof(VID_NATT_02N)) == 0) { + seen_natt_vid = 1; + if (natt_draft < 1) natt_draft = 2; + DEBUG(2, printf("peer is NAT-T capable (draft-02)\n\n")); +- } else if (rp->u.vid.length == sizeof(natt_vid_02) +- && memcmp(rp->u.vid.data, natt_vid_02, +- sizeof(natt_vid_02)) == 0) { ++ } else if (rp->u.vid.length == sizeof(VID_NATT_02) ++ && memcmp(rp->u.vid.data, VID_NATT_02, ++ sizeof(VID_NATT_02)) == 0) { + seen_natt_vid = 1; + if (natt_draft < 1) natt_draft = 2; + DEBUG(2, printf("peer is NAT-T capable (draft-02)\n")); +- } else if (rp->u.vid.length == sizeof(natt_vid_01) +- && memcmp(rp->u.vid.data, natt_vid_01, +- sizeof(natt_vid_01)) == 0) { ++ } else if (rp->u.vid.length == sizeof(VID_NATT_01) ++ && memcmp(rp->u.vid.data, VID_NATT_01, ++ sizeof(VID_NATT_01)) == 0) { + seen_natt_vid = 1; + if (natt_draft < 1) natt_draft = 1; + DEBUG(2, printf("peer is NAT-T capable (draft-01)\n")); +- } else if (rp->u.vid.length == sizeof(natt_vid_00) +- && memcmp(rp->u.vid.data, natt_vid_00, +- sizeof(natt_vid_00)) == 0) { ++ } else if (rp->u.vid.length == sizeof(VID_NATT_00) ++ && memcmp(rp->u.vid.data, VID_NATT_00, ++ sizeof(VID_NATT_00)) == 0) { + seen_natt_vid = 1; + if (natt_draft < 0) natt_draft = 0; + DEBUG(2, printf("peer is NAT-T capable (draft-00)\n")); ++ } else if (rp->u.vid.length == sizeof(VID_DPD) ++ && memcmp(rp->u.vid.data, VID_DPD, ++ sizeof(VID_DPD)) == 0) { ++ gcry_create_nonce(&s->ike.dpd_seqno, sizeof(s->ike.dpd_seqno)); ++ s->ike.dpd_seqno &= 0x7FFFFFFF; ++ s->ike.dpd_seqno_ack = s->ike.dpd_seqno; ++ s->ike.do_dpd = 1; ++ DEBUG(2, printf("peer is DPD capable (RFC3706)\n")); + } else { + hex_dump("unknown ISAKMP_PAYLOAD_VID: ", + rp->u.vid.data, rp->u.vid.length, NULL); +@@ -1408,9 +1514,9 @@ + memcpy(pl->u.n.spi + ISAKMP_COOKIE_LENGTH * 0, s->ike.i_cookie, ISAKMP_COOKIE_LENGTH); + memcpy(pl->u.n.spi + ISAKMP_COOKIE_LENGTH * 1, s->ike.r_cookie, ISAKMP_COOKIE_LENGTH); + pl = pl->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID, +- unknown_vid, sizeof(unknown_vid)); ++ VID_UNKNOWN, sizeof(VID_UNKNOWN)); + pl = pl->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID, +- unity_vid, sizeof(unity_vid)); ++ VID_UNITY, sizeof(VID_UNITY)); + + /* include NAT traversal discovery payloads */ + if (seen_natt_vid) { +@@ -1457,9 +1563,9 @@ + if (natt_draft >= 2) { + s->ipsec.natt_active_mode = NATT_ACTIVE_RFC; + close(s->ike_fd); +- if (s->ike.src_port == 500) +- s->ike.src_port = 4500; +- s->ike_fd = make_socket(s, s->ike.src_port, s->ike.dst_port = 4500); ++ if (s->ike.src_port == ISAKMP_PORT) ++ s->ike.src_port = ISAKMP_PORT_NATT; ++ s->ike_fd = make_socket(s, s->ike.src_port, s->ike.dst_port = ISAKMP_PORT_NATT); + } else { + s->ipsec.natt_active_mode = NATT_ACTIVE_DRAFT_OLD; + } +@@ -1520,8 +1626,8 @@ + s->ike.dst_port = ISAKMP_PORT; + s->ipsec.encap_mode = IPSEC_ENCAP_TUNNEL; + s->ipsec.natt_active_mode = NATT_ACTIVE_NONE; +- if (s->ike.src_port == 4500) +- s->ike.src_port = 500; ++ if (s->ike.src_port == ISAKMP_PORT_NATT) ++ s->ike.src_port = ISAKMP_PORT; + close(s->ike_fd); + s->ike_fd = make_socket(s, s->ike.src_port, s->ike.dst_port); + DEBUG(2, printf("got cisco loadbalancing notice, diverting to %s\n", +@@ -1562,7 +1668,7 @@ + return reject; + } + +-static int do_phase_2_xauth(struct sa_block *s) ++static int do_phase2_xauth(struct sa_block *s) + { + struct isakmp_packet *r; + int loopcount; +@@ -1778,7 +1884,7 @@ + return 0; + } + +-static int do_phase_2_config(struct sa_block *s) ++static int do_phase2_config(struct sa_block *s) + { + struct isakmp_payload *rp; + struct isakmp_attribute *a; +@@ -2511,6 +2617,44 @@ + DEBUG(3, printf("do_rekey returned: %d\n", reject)); + return; + } ++ ++ if (r->exchange_type == ISAKMP_EXCHANGE_INFORMATIONAL) { ++ /* Search for notify payloads */ ++ for (rp = r->payload->next; rp; rp = rp->next) { ++ if (rp->type != ISAKMP_PAYLOAD_N) ++ continue; ++ /* did we get a DPD request or ACK? */ ++ if (rp->u.n.protocol != ISAKMP_IPSEC_PROTO_ISAKMP) { ++ DEBUG(2, printf("got non isakmp-notify, ignoring...\n")); ++ continue; ++ } ++ if (rp->u.n.type == ISAKMP_N_R_U_THERE) { ++ uint32_t seq; ++ if (rp->u.n.data_length != 4) { ++ DEBUG(2, printf("ignoring bad data length R-U-THERE request\n")); ++ continue; ++ } ++ memcpy(&seq, rp->u.n.data, 4); ++ send_dpd(s, 1, seq); ++ DEBUG(2, printf("got r-u-there request sent ack\n")); ++ continue; ++ } else if (rp->u.n.type == ISAKMP_N_R_U_THERE_ACK) { ++ uint32_t seqack; ++ if (rp->u.n.data_length != 4) { ++ DEBUG(2, printf("ignoring bad data length R-U-THERE-ACK\n")); ++ continue; ++ } ++ memcpy(&seqack, rp->u.n.data, 4); ++ if (seqack == s->ike.dpd_seqno) { ++ s->ike.dpd_seqno_ack = seqack; ++ } else { ++ DEBUG(2, printf("ignoring r-u-there ack %u (expecting %u)\n", seqack, s->ike.dpd_seqno)); ++ continue; ++ } ++ DEBUG(2, printf("got r-u-there ack\n")); ++ } ++ } ++ } + + /* check if our isakmp sa gets deleted */ + for (rp = r->payload->next; rp; rp = rp->next) { +@@ -2550,8 +2694,10 @@ + gcry_check_version("1.1.90"); + gcry_control(GCRYCTL_INIT_SECMEM, 16384, 0); + group_init(); ++ + memset(s, 0, sizeof(*s)); + s->ipsec.encap_mode = IPSEC_ENCAP_TUNNEL; ++ s->ike.timeout = 1000; /* 1 second */ + + do_config(argc, argv); + +@@ -2560,6 +2706,7 @@ + DEBUG(1, printf("vpnc version " VERSION "\n")); + DEBUG(2, printf("S1\n")); + init_sockaddr(&s->dst, config[CONFIG_IPSEC_GATEWAY]); ++ init_sockaddr(&s->opt_src_ip, config[CONFIG_LOCAL_ADDR]); + DEBUG(2, printf("S2\n")); + s->ike.src_port = atoi(config[CONFIG_LOCAL_PORT]); + s->ike.dst_port = ISAKMP_PORT; +@@ -2570,13 +2717,13 @@ + do_load_balance = 0; + do { + DEBUG(2, printf("S4\n")); +- do_phase_1(config[CONFIG_IPSEC_ID], config[CONFIG_IPSEC_SECRET], s); ++ do_phase1(config[CONFIG_IPSEC_ID], config[CONFIG_IPSEC_SECRET], s); + DEBUG(2, printf("S5\n")); + if (s->ike.auth_algo == IKE_AUTH_XAUTHInitPreShared) +- do_load_balance = do_phase_2_xauth(s); ++ do_load_balance = do_phase2_xauth(s); + DEBUG(2, printf("S6\n")); + if ((opt_vendor != VENDOR_NETSCREEN) && (do_load_balance == 0)) +- do_load_balance = do_phase_2_config(s); ++ do_load_balance = do_phase2_config(s); + } while (do_load_balance); + DEBUG(2, printf("S7\n")); + setup_link(s); +diff -urNad vpnc~/vpnc.h vpnc/vpnc.h +--- vpnc~/vpnc.h 2007-02-19 22:33:09.000000000 +0100 ++++ vpnc/vpnc.h 2007-03-11 19:14:21.000000000 +0100 +@@ -25,5 +25,6 @@ + + void process_late_ike(struct sa_block *s, uint8_t *r_packet, ssize_t r_length); + void keepalive_ike(struct sa_block *s); ++void dpd_ike(struct sa_block *s); + + #endif --- vpnc-0.4.0.orig/debian/patches/04_debianitis.dpatch +++ vpnc-0.4.0/debian/patches/04_debianitis.dpatch @@ -0,0 +1,218 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 04_debianitis.dpatch by Eduard Bloch +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad vpnc~/config.c vpnc/config.c +--- vpnc~/config.c 2007-02-19 22:32:32.000000000 +0100 ++++ vpnc/config.c 2007-03-11 18:47:58.000000000 +0100 +@@ -264,6 +264,16 @@ + return "cisco"; + } + ++static const char *config_def_networks_list(void) ++{ ++ return ""; ++} ++ ++static const char *config_def_dns_update(void) ++{ ++ return "Yes"; ++} ++ + static const struct config_names_s { + enum config_enum nm; + const int needsArgument; +@@ -476,7 +486,29 @@ + NULL, + "Don't ask anything, exit on missing options", + NULL +- }, { ++ }, ++ ++ ++ { ++ CONFIG_DNS_UPDATE, 1, 1, ++ "--dns-update", ++ "DNSUpdate", ++ "", ++ "DEPRECATED extension, see README.Debian for details", ++ config_def_dns_update ++ }, ++ ++ { ++ CONFIG_TARGET_NETWORKS, 1, 1, ++ "--target-networks", ++ "Target Networks", ++ NULL, ++ "DEPRECATED extension, see README.Debian for details", ++ config_def_networks_list ++ }, ++ ++ ++ { + 0, 0, 0, NULL, NULL, NULL, NULL, NULL + } + }; +diff -urNad vpnc~/config.h vpnc/config.h +--- vpnc~/config.h 2007-02-19 22:32:32.000000000 +0100 ++++ vpnc/config.h 2007-03-11 18:47:58.000000000 +0100 +@@ -53,6 +53,13 @@ + CONFIG_VENDOR, + CONFIG_NATT_MODE, + CONFIG_UDP_ENCAP_PORT, ++ ++ ++ ++ CONFIG_DNS_UPDATE, ++ CONFIG_TARGET_NETWORKS, ++ ++ + LAST_CONFIG + }; + +diff -urNad vpnc~/vpnc-script vpnc/vpnc-script +--- vpnc~/vpnc-script 2007-03-11 18:47:45.000000000 +0100 ++++ vpnc/vpnc-script 2007-03-11 18:48:06.000000000 +0100 +@@ -74,8 +75,9 @@ + else # can't open /dev/net/tun + test -e /proc/sys/kernel/modprobe && `cat /proc/sys/kernel/modprobe` tun 2>/dev/null + # fix for broken devfs in kernel 2.6.x +- if [ "`readlink /dev/net/tun`" = misc/net/tun \ +- -a ! -e /dev/net/misc/net/tun -a -e /dev/misc/net/tun ] ; then ++ if [ "`readlink /dev/net/tun`" = misc/net/tun ] && \ ++ [ ! -e /dev/net/misc/net/tun ] && \ ++ [ -e /dev/misc/net/tun ] ; then + ln -sf /dev/misc/net/tun /dev/net/tun + fi + # make sure tun device exists +@@ -107,7 +109,7 @@ + } + + do_ifconfig() { +- ifconfig "$TUNDEV" inet "$INTERNAL_IP4_ADDRESS" $ifconfig_syntax_ptp "$INTERNAL_IP4_ADDRESS" netmask 255.255.255.255 mtu 1412 up ++ ifconfig "$TUNDEV" inet "$INTERNAL_IP4_ADDRESS" $ifconfig_syntax_ptp "$INTERNAL_IP4_ADDRESS" netmask 255.255.255.255 mtu 1390 up + } + + destroy_tun_device() { +@@ -212,6 +214,26 @@ + fi + + write_resolvconf() { ++ ++ case "$DNS_UPDATE" in ++ *no|*NO|*No|*nO) ++ return; ++ ;; ++ esac ++ ++ if [ -x /sbin/resolvconf ] ; then ++ ( ++ if [ "$CISCO_DEF_DOMAIN" ] ; then ++ echo domain "$CISCO_DEF_DOMAIN" ++ echo search "$CISCO_DEF_DOMAIN" ++ fi ++ for ip in "$INTERNAL_IP4_DNS" ; do ++ echo nameserver $ip ++ done ++ ) | /sbin/resolvconf -a $TUNDEV ++ return ++ fi ++ + grep '^#@VPNC_GENERATED@' /etc/resolv.conf > /dev/null 2>&1 || cp -- /etc/resolv.conf "$RESOLV_CONF_BACKUP" + NEW_RESOLVCONF="#@VPNC_GENERATED@ -- this file is generated by vpnc + # and will be overwritten by vpnc +@@ -306,6 +328,19 @@ + } + + reset_resolvconf() { ++ ++ if [ -x /sbin/resolvconf ] ; then ++ /sbin/resolvconf -d "$TUNDEV" ++ return ++ fi ++ ++ case "$DNS_UPDATE" in ++ *no|*NO|*No|*nO) ++ return ++ ;; ++ esac ++ ++ + if [ ! -e "$RESOLV_CONF_BACKUP" ]; then + return + fi +@@ -331,6 +366,26 @@ + } + + do_connect() { ++ # Debian specific, insert your code there to avoid modification of ++ # conffiles like this script ++ if [ -r /etc/vpnc/vpnc-script-connect-action ] ; then ++ . /etc/vpnc/vpnc-script-connect-action ++ fi ++ # backwards compatibility mapping for old extensions ++ if test "$TARGET_NETWORKS" ; then ++ i=0 ++ for network in $TARGET_NETWORKS ; do ++ eval CISCO_SPLIT_INC_${i}_ADDR=`echo $network | cut -f1 -d/` ++ eval CISCO_SPLIT_INC_${i}_MASKLEN=`echo $network | cut -f2 -d/` ++ eval CISCO_SPLIT_INC_${i}_MASK=$( perl -e '$ARGV[0]=~s,.*/,,;$m=(2**$ARGV[0]-1)<<(32-$ARGV[0]);printf "%d.%d.%d.%d\n", $m>>24 & 0xff, $m>>16 & 0xff, $m>>8 & 0xff, $m & 0xff;' $network ) ++ eval CISCO_SPLIT_INC_${i}_PROTOCOL=0 ++ eval CISCO_SPLIT_INC_${i}_SPORT=0 ++ eval CISCO_SPLIT_INC_${i}_DPORT=0 ++ i=`expr $i + 1` ++ done ++ CISCO_SPLIT_INC=$i ++ fi ++ + if [ -n "$CISCO_BANNER" ]; then + echo "Connect Banner:" + echo "$CISCO_BANNER" | while read LINE ; do echo "|" "$LINE" ; done +@@ -358,9 +413,21 @@ + if [ -n "$INTERNAL_IP4_DNS" ]; then + write_resolvconf + fi ++ ++ if [ -r /etc/vpnc/vpnc-script-post-connect-action ] ; then ++ . /etc/vpnc/vpnc-script-post-connect-action ++ fi ++ + } + + do_disconnect() { ++ ++ # Debian specific, insert your code there to avoid modification of ++ # conffiles like this script ++ if [ -r /etc/vpnc/vpnc-script-disconnect-action ] ; then ++ . /etc/vpnc/vpnc-script-disconnect-action ++ fi ++ + destroy_tun_device + if [ -n "$CISCO_SPLIT_INC" ]; then + i=0 +@@ -386,6 +453,9 @@ + if [ -n "$INTERNAL_IP4_DNS" ]; then + reset_resolvconf + fi ++ if [ -r /etc/vpnc/vpnc-script-post-disconnect-action ] ; then ++ . /etc/vpnc/vpnc-script-post-disconnect-action ++ fi + } + + #### +diff -urNad vpnc~/vpnc.c vpnc/vpnc.c +--- vpnc~/vpnc.c 2007-02-19 22:33:09.000000000 +0100 ++++ vpnc/vpnc.c 2007-03-11 18:47:58.000000000 +0100 +@@ -157,6 +157,9 @@ + { + setenv("VPNGATEWAY", inet_ntoa(s->dst), 1); + setenv("reason", "connect", 1); ++ // DEPRECATED, Debian specific ++ setenv("DNS_UPDATE", config[CONFIG_DNS_UPDATE], 1); ++ setenv("TARGET_NETWORKS", config[CONFIG_TARGET_NETWORKS], 1); + system(config[CONFIG_SCRIPT]); + } + --- vpnc-0.4.0.orig/debian/patches/08_auth_failed_return_code.dpatch +++ vpnc-0.4.0/debian/patches/08_auth_failed_return_code.dpatch @@ -0,0 +1,19 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 08_auth_failed_return_code.dpatch by Soren Hansen +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad vpnc-0.4.0~/vpnc.c vpnc-0.4.0/vpnc.c +--- vpnc-0.4.0~/vpnc.c 2007-03-14 13:48:59.000000000 +0100 ++++ vpnc-0.4.0/vpnc.c 2007-03-14 13:49:28.000000000 +0100 +@@ -1370,7 +1370,7 @@ + expected_hash = gcry_md_read(hm, 0); + + if (memcmp(expected_hash, hash->u.hash.data, s->ike.md_len) != 0) { +- error(1, 0, "hash comparison failed: %s(%d)\ncheck group password!", ++ error(2, 0, "hash comparison failed: %s(%d)\ncheck group password!", + val_to_string(ISAKMP_N_AUTHENTICATION_FAILED, isakmp_notify_enum_array), + ISAKMP_N_AUTHENTICATION_FAILED); + } --- vpnc-0.4.0.orig/debian/patches/00list +++ vpnc-0.4.0/debian/patches/00list @@ -0,0 +1,7 @@ +03_vpnc.8 +04_debianitis +05_vpnc.conf +06_stolen_from_head +07_gcc_optimizations.dpatch +08_auth_failed_return_code.dpatch +09_dpd_timer_disable --- vpnc-0.4.0.orig/debian/patches/09_dpd_timer_disable.dpatch +++ vpnc-0.4.0/debian/patches/09_dpd_timer_disable.dpatch @@ -0,0 +1,189 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 09_dpd_timer_disable.dpatch by James Tait +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad vpnc-0.4.0~/config.c vpnc-0.4.0/config.c +--- vpnc-0.4.0~/config.c 2007-05-11 21:59:22.000000000 +0100 ++++ vpnc-0.4.0/config.c 2007-05-11 22:02:41.000000000 +0100 +@@ -244,6 +244,11 @@ + return "10000"; + } + ++static const char *config_def_dpd_idle(void) ++{ ++ return "0"; ++} ++ + static const char *config_def_app_version(void) + { + struct utsname uts; +@@ -282,7 +287,7 @@ + static const struct config_names_s { + enum config_enum nm; + const int needsArgument; +- const int lvl; ++ const int long_only; + const char *option; + const char *name; + const char *type; +@@ -486,12 +491,20 @@ + "--udp-port", + "Cisco UDP Encapsulation Port ", + "<0-65535>", +- "local UDP port number to use (0 == use random port)\n" ++ "Local UDP port number to use (0 == use random port)\n" + "This is only relevant if cisco-udp nat-traversal is used.\n" + "This is the _local_ port, the remote udp port is discovered automatically.\n" + "It is especially not the cisco-tcp port\n", + config_def_udp_port + }, { ++ CONFIG_DPD_IDLE, 1, 1, ++ "--dpd-idle", ++ "DPD idle timeout (our side) ", ++ "<0,10-86400>", ++ "Send DPD packet after not receiving anything for seconds.\n" ++ "Use 0 to disable DPD completely (both ways).\n", ++ config_def_dpd_idle ++ }, { + CONFIG_NON_INTERACTIVE, 0, 1, + "--non-inter", + "Noninteractive", +@@ -612,7 +625,7 @@ + printf("%s%s\n", pre, p); + } + +-static void print_usage(char *argv0, int long_help) ++static void print_usage(char *argv0, int print_level) + { + int c; + +@@ -620,7 +633,7 @@ + argv0); + printf("Legend:\n"); + for (c = 0; config_names[c].name != NULL; c++) { +- if (config_names[c].lvl > long_help) ++ if (config_names[c].long_only > print_level) + continue; + + printf(" %s %s\n" +@@ -639,7 +652,7 @@ + printf("\n"); + } + +- if (!long_help) ++ if (!print_level) + printf("Use --long-help to see all options\n\n"); + + printf("Report bugs to vpnc@unix-ag.uni-kl.de\n"); +diff -urNad vpnc-0.4.0~/config.h vpnc-0.4.0/config.h +--- vpnc-0.4.0~/config.h 2007-05-11 21:59:22.000000000 +0100 ++++ vpnc-0.4.0/config.h 2007-05-11 21:59:22.000000000 +0100 +@@ -54,6 +54,7 @@ + CONFIG_VENDOR, + CONFIG_NATT_MODE, + CONFIG_UDP_ENCAP_PORT, ++ CONFIG_DPD_IDLE, + + + +diff -urNad vpnc-0.4.0~/tunip.c vpnc-0.4.0/tunip.c +--- vpnc-0.4.0~/tunip.c 2007-05-11 21:59:22.000000000 +0100 ++++ vpnc-0.4.0/tunip.c 2007-05-11 21:59:22.000000000 +0100 +@@ -838,9 +838,9 @@ + + if (s->ike.do_dpd) { + /* send initial dpd request */ +- next_ike_dpd = time(NULL) + 300; ++ next_ike_dpd = time(NULL) + s->ike.dpd_idle; + dpd_ike(s); +- normal_timeout.tv_sec = 300; ++ normal_timeout.tv_sec = s->ike.dpd_idle; + normal_timeout.tv_usec = 0; + } + +@@ -884,11 +884,11 @@ + select_timeout.tv_sec = 5; + select_timeout.tv_usec = 0; + dpd_ike(s); +- next_ike_dpd = now + 300; ++ next_ike_dpd = now + s->ike.dpd_idle; + } + else if (now >= next_ike_dpd) { + dpd_ike(s); +- next_ike_dpd = now + 300; ++ next_ike_dpd = now + s->ike.dpd_idle; + } + } + } +@@ -945,13 +945,13 @@ + if (s->ike.do_dpd) { + if (s->ike.dpd_seqno != s->ike.dpd_seqno_ack) { + dpd_ike(s); +- next_ike_dpd = now + 300; ++ next_ike_dpd = now + s->ike.dpd_idle; + if (now + 5 < next_up) + next_up = now + 5; + } + else if (now >= next_ike_dpd) { + dpd_ike(s); +- next_ike_dpd = now + 300; ++ next_ike_dpd = now + s->ike.dpd_idle; + } + if (next_ike_dpd < next_up) + next_up = next_ike_dpd; +diff -urNad vpnc-0.4.0~/tunip.h vpnc-0.4.0/tunip.h +--- vpnc-0.4.0~/tunip.h 2007-05-11 21:59:22.000000000 +0100 ++++ vpnc-0.4.0/tunip.h 2007-05-11 21:59:22.000000000 +0100 +@@ -92,6 +92,7 @@ + uint8_t *current_iv; + struct lifetime life; + int do_dpd; ++ int dpd_idle; + uint32_t dpd_seqno; + uint32_t dpd_seqno_ack; + time_t dpd_sent; +diff -urNad vpnc-0.4.0~/vpnc.c vpnc-0.4.0/vpnc.c +--- vpnc-0.4.0~/vpnc.c 2007-05-11 21:59:22.000000000 +0100 ++++ vpnc-0.4.0/vpnc.c 2007-05-11 21:59:22.000000000 +0100 +@@ -1050,8 +1050,15 @@ + l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID, + VID_NATT_00, sizeof(VID_NATT_00)); + } +- l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID, +- VID_DPD, sizeof(VID_DPD)); ++ s->ike.dpd_idle = atoi(config[CONFIG_DPD_IDLE]); ++ if (s->ike.dpd_idle != 0) { ++ if (s->ike.dpd_idle < 10) ++ s->ike.dpd_idle = 10; ++ if (s->ike.dpd_idle > 86400) ++ s->ike.dpd_idle = 86400; ++ l = l->next = new_isakmp_data_payload(ISAKMP_PAYLOAD_VID, ++ VID_DPD, sizeof(VID_DPD)); ++ } + flatten_isakmp_packet(p1, &pkt, &pkt_len, 0); + + /* Now, send that packet and receive a new one. */ +@@ -1265,11 +1272,15 @@ + } else if (rp->u.vid.length == sizeof(VID_DPD) + && memcmp(rp->u.vid.data, VID_DPD, + sizeof(VID_DPD)) == 0) { +- gcry_create_nonce(&s->ike.dpd_seqno, sizeof(s->ike.dpd_seqno)); +- s->ike.dpd_seqno &= 0x7FFFFFFF; +- s->ike.dpd_seqno_ack = s->ike.dpd_seqno; +- s->ike.do_dpd = 1; +- DEBUG(2, printf("peer is DPD capable (RFC3706)\n")); ++ if (s->ike.dpd_idle != 0) { ++ gcry_create_nonce(&s->ike.dpd_seqno, sizeof(s->ike.dpd_seqno)); ++ s->ike.dpd_seqno &= 0x7FFFFFFF; ++ s->ike.dpd_seqno_ack = s->ike.dpd_seqno; ++ s->ike.do_dpd = 1; ++ DEBUG(2, printf("peer is DPD capable (RFC3706)\n")); ++ } else { ++ DEBUG(2, printf("ignoring that peer is DPD capable (RFC3706)\n")); ++ } + } else { + hex_dump("unknown ISAKMP_PAYLOAD_VID: ", + rp->u.vid.data, rp->u.vid.length, NULL); --- vpnc-0.4.0.orig/debian/patches/03_vpnc.8.dpatch +++ vpnc-0.4.0/debian/patches/03_vpnc.8.dpatch @@ -0,0 +1,80 @@ +#! /bin/sh -e +## 03_vpnc.8.dpatch by Eduard Bloch +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +if [ $# -lt 1 ]; then + echo "`basename $0`: script expects -patch|-unpatch as argument" >&2 + exit 1 +fi + +[ -f debian/patches/00patch-opts ] && . debian/patches/00patch-opts +patch_opts="${patch_opts:--f --no-backup-if-mismatch} ${2:+-d $2}" + +case "$1" in + -patch) patch -p1 ${patch_opts} < $0;; + -unpatch) patch -R -p1 ${patch_opts} < $0;; + *) + echo "`basename $0`: script expects -patch|-unpatch as argument" >&2 + exit 1;; +esac + +exit 0 + +@DPATCH@ +diff -urNad vpnc~/vpnc.8 vpnc/vpnc.8 +--- vpnc~/vpnc.8 2007-02-19 22:33:09.000000000 +0100 ++++ vpnc/vpnc.8 2007-02-19 22:36:42.000000000 +0100 +@@ -20,6 +20,10 @@ + on BSD. The created connection is presented as a tunneling network + device to the local system. + .PP ++OBLICATORY WARNING: the most used configuration (XAUTH authentication) ++is insecure by design, be aware of this fact when you use vpnc to ++exchange sensitive data like passwords! ++.PP + The vpnc daemon by itself does not set any routes, but it calls + \fBvpnc\-script\fR to do this job. \fBvpnc\-script\fR displays + a connect banner. If the concentrator supplies a network list +@@ -138,6 +142,40 @@ + disabling /etc/resolv.conf rewriting is documented in the README of the + vpnc package. + ++.SH ADVANCED USAGE ++The vpnc-connect stript shipped with Debian has some additional ++features: ++.IP "Custom route setting" ++By default, the default route is deleted after connection and replaced ++with the new one (going trough the VPN tunnel device). However, some ++people wish to limit the target address range to few IP ranges. ++This can be done using the config directive ++.B Target networks ++in the config file. For example: ++.RS ++.PD 0 ++Target networks 123.234.210.0/24 10.1.0.0/16 ++.PD ++.RE ++.IP "Multiple config profiles management" ++You can have multiple config files and select one on connection by ++specifying a short profile name instead of a config file path. In this ++case, the file ++.I /etc/vpnc/PROFILE.conf ++is used as config file (where PROFILE is the short profile name). ++.IP "/etc/resolv.conf update" ++If the package ++.B resolvconf ++is installed and the VPN gateway sends some DNS server data, the ++script will use resolution to integrate the received data into ++.I /etc/resolv.conf. ++To disable this behaviour, set the config directive ++.I DNSUpdate ++to the ++.I "no" ++value. ++ ++ + .SH TODO + .PD 0 + Certificate support (Pre-Shared-Key + XAUTH is known to be insecure). --- vpnc-0.4.0.orig/debian/patches/07_gcc_optimizations.dpatch +++ vpnc-0.4.0/debian/patches/07_gcc_optimizations.dpatch @@ -0,0 +1,19 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 07_gcc_optimizations.dpatch by William Grant +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ +diff -urNad vpnc-0.4.0~/Makefile vpnc-0.4.0/Makefile +--- vpnc-0.4.0~/Makefile 2007-02-19 21:51:12.000000000 +0100 ++++ vpnc-0.4.0/Makefile 2007-03-14 13:48:16.000000000 +0100 +@@ -35,7 +35,7 @@ + RELEASE_VERSION := $(shell cat VERSION) + + CC=gcc +-CFLAGS += -W -Wall -O3 -Wmissing-declarations -Wwrite-strings -g ++CFLAGS += -W -Wall -O0 -Wmissing-declarations -Wwrite-strings -g + CPPFLAGS = -DVERSION=\"$(VERSION)\" + LDFLAGS = -g $(shell libgcrypt-config --libs) + CFLAGS += $(shell libgcrypt-config --cflags) --- vpnc-0.4.0.orig/debian/patches/05_vpnc.conf.dpatch +++ vpnc-0.4.0/debian/patches/05_vpnc.conf.dpatch @@ -0,0 +1,50 @@ +#! /bin/sh -e +## 05_vpnc.conf.dpatch by Eduard Bloch +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +if [ $# -lt 1 ]; then + echo "`basename $0`: script expects -patch|-unpatch as argument" >&2 + exit 1 +fi + +[ -f debian/patches/00patch-opts ] && . debian/patches/00patch-opts +patch_opts="${patch_opts:--f --no-backup-if-mismatch} ${2:+-d $2}" + +case "$1" in + -patch) patch -p1 ${patch_opts} < $0;; + -unpatch) patch -R -p1 ${patch_opts} < $0;; + *) + echo "`basename $0`: script expects -patch|-unpatch as argument" >&2 + exit 1;; +esac + +exit 0 + +@DPATCH@ +diff -urNad vpnc/vpnc.conf /tmp/dpep.fwDvsW/vpnc/vpnc.conf +--- vpnc/vpnc.conf 2004-11-13 16:00:17.000000000 +0100 ++++ /tmp/dpep.fwDvsW/vpnc/vpnc.conf 2004-11-23 19:00:49.000000000 +0100 +@@ -1,4 +1,17 @@ +-IPSec gateway 131.246.118.240 +-IPSec ID unikl +-IPSec secret unikl +-Xauth username abcdef ++IPSec gateway 192.0.2.32 ++IPSec ID myGroup ++IPSec secret myGroupPWD ++Xauth username myUserName ++ ++# OPTIONAL ++# ======== ++ ++# ++# ++# Varios options not undestood by vpnc itself but by some other scripts ++# ++# Target networks 123.234.210.0/24 10.1.0.0/16 ++# If Target networks is defined here, the default route is not replaced! ++ ++# Don't update resolv.conf though resolvconf is installed ++# DNSUpdate no --- vpnc-0.4.0.orig/debian/patches/debian/patches/08_auth_failed_return_code.dpatch +++ vpnc-0.4.0/debian/patches/debian/patches/08_auth_failed_return_code.dpatch @@ -0,0 +1,7 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## 08_auth_failed_return_code.dpatch by Michael Bienia +## +## All lines beginning with `## DP:' are a description of the patch. +## DP: No description. + +@DPATCH@ --- vpnc-0.4.0.orig/debian/docs +++ vpnc-0.4.0/debian/docs @@ -0,0 +1,2 @@ +README +TODO --- vpnc-0.4.0.orig/debian/README.Debian +++ vpnc-0.4.0/debian/README.Debian @@ -0,0 +1,66 @@ +vpnc for Debian +=============== + +The Debian version of vpnc has few improvements compared to the +upstream version, mainly in the daemon invocation script. The +vpnc-connect script works with multiple "profile" files, so you can +manage multiple configurations easily. See vpnc-connect manpage for +details. + +UPGRADE NOTES +============= + +If you have been using Debian-specific extensions with "Target networks" and +"DNSupdate" directives, consider changing your praxis to use the official +upstream configuration way now. See /usr/share/doc/vpnc/README.gz file for +details about replacing network routes with custom ones using the variables of +vpnc-script. You can either wrap /etc/vpnc/vpnc-script into a custom script +which presets those variables (like documented in the example in README.gz) or +use vpnc-script-connect-action and vpnc-script-disconnect-action scripts to set +them separately (see below), which may or may not be wanted depending on your +setup. Or you can symlink them to have the same config in the both phases. + +The same applies to the disabling of DNS data update. The old methods are +preserved with compatibility wrappers for the near future but should be avoided +with new installations. + + +CONFIGURATION +============= + +To generate a sample config file for vpnc/vpnc-connect, copy +/etc/vpnc/example.conf to a config file with the appropriate name. Or use the +pcf2vpnc script to convert existing pcf files (Cisco client configuration), +running the following command (replace myvpn with your VPN name): + +/usr/share/vpnc/pcf2vpnc myvpn.pcf > /etc/vpnc/myvpn.conf + +You may edit the resulting file to add the remote username. + +In order to use the DNS server reported by the VPN server, please install the +resolvconf package. + +You may place commands to be run on connect to or disconnect from the +VPN server in /etc/vpnc/vpnc-script-connect-action and +/etc/vpnc/vpnc-script-disconnect-action respectively. These scripts +are sourced by /etc/vpnc/vpnc-script, see the comments at the top of +that file for the environment variables you have access to. There are also +possible /etc/vpnc/vpnc-script-post-connect-action and +/etc/vpnc/vpnc-script-post-disconnect-action executed after the link +configuration or shutdown. + +(IN)SECURITY WARNING +==================== + +Following this URL: + + + +and making simple considerations about the key exchange protocol shows +that the methods are inherently insecure. The scrambled key does not +really protect privacy, and there is nothing to prevent possible +man-in-the-middle-attacks. Though IPsec is used for data transfer, +simple XAUTH without certificates is not a secure way to pass the +login data! Be aware of this fact when you enter a password! + + -- Eduard Bloch -- Fri, 14 Apr 2006 23:08:54 +0200 --- vpnc-0.4.0.orig/debian/vpnc.examples +++ vpnc-0.4.0/debian/vpnc.examples @@ -0,0 +1 @@ +vpnc.conf --- vpnc-0.4.0.orig/debian/vpnc.dirs +++ vpnc-0.4.0/debian/vpnc.dirs @@ -0,0 +1,3 @@ +usr/sbin +var/run/vpnc +usr/share/vpnc --- vpnc-0.4.0.orig/debian/changelog +++ vpnc-0.4.0/debian/changelog @@ -0,0 +1,312 @@ +vpnc (0.4.0-2ubuntu2) gutsy; urgency=low + + * Apply r170 from SVN trunk to help resolve immediate disconnections due to + dead peer detection (dpd). Adds the --dpd-idle command line option which + can be set to 0 to disable dead peer detection. + * Change the default for --dpd-idle from 300 to 0 (disables dpd). + * LP: #93413 + + -- James Tait Fri, 11 May 2007 21:34:52 +0100 + +vpnc (0.4.0-2ubuntu1) feisty; urgency=low + + * Merge from debian unstable, remaining changes: + - gcc optimizations + - auth failed return code + - Update maintainer field in debian/control + * UVF exception: LP: #91467 + + -- Luca Falavigna Mon, 05 Mar 2007 12:46:15 +0000 + +vpnc (0.4.0-2) unstable; urgency=medium + + * proper increment variable picking when emulating Target networks + directive (closes: #412784) + * small bug in resolv.conf update forbidding directive handling fixed, + it was causing unuseable resolv.conf in certain cases + * 06_stolen_from_head.dpatch: upstream fixes in Revision 159 + (closes: #411668) + + -- Eduard Bloch Sun, 11 Mar 2007 18:48:27 +0100 + +vpnc (0.4.0-1) unstable; urgency=low + + * New upstream release + + GNU/kFreeBSD related fixes (closes: #400740) + + Supports phase2 rekeying (closes: #411108) + + auto-creating /var/run/vpnc (closes: #403783) + * Old config handling extensions replaced with wrappers to upstream + vpnc-script function variables which are declared official now + (closes: #399131) + * more connect/shutdown hooks (closes: #366257) + * not depending on iproute, though old extensions may not work without it + but users are warned in that case (closes: #393848) + + -- Eduard Bloch Mon, 19 Feb 2007 22:33:12 +0100 + +vpnc (0.3.3+SVN20051028-3ubuntu3) feisty; urgency=low + + * Exit with return code 2 when authentication fails. (Closes: LP#89735) + * Update maintainer field in debian/control + + -- Soren Hansen Sun, 4 Mar 2007 23:06:46 +0100 + +vpnc (0.3.3+SVN20051028-3ubuntu2) edgy; urgency=low + + * Now build with -O0, as any GCC 4.1 optimizations cause it to break (closes + Malone #53341). + + -- William Alexander Grant Thu, 20 Jul 2006 11:00:23 +1000 + +vpnc (0.3.3+SVN20051028-3ubuntu1) edgy; urgency=low + + * Merge from debian unstable. + + -- William Alexander Grant Sun, 16 Jul 2006 14:34:02 +1000 + +vpnc (0.3.3+SVN20051028-3) unstable; urgency=low + + * 08_keepalive_and_rekeying.dpatch: patch for basic rekeying and keepalive + support from Tomas Mraz + * stronger permissions of /etc/vpnc/ and /etc/vpnc/example.conf to protect + careless users from making their login data world-readable + (closes: #340105) + * documented connect/disconnect hooks in README.Debian, thanks to Elmar + Hoffmann (closes: #360704) + + -- Eduard Bloch Fri, 14 Apr 2006 23:30:36 +0200 + +vpnc (0.3.3+SVN20051028-2ubuntu1) dapper; urgency=low + + * 09_ubuntu_var_run.dpatch: + + recreate /var/run/vpnc if missing + + -- Ante Karamatic Sun, 26 Feb 2006 12:07:52 +0100 + +vpnc (0.3.3+SVN20051028-2) unstable; urgency=low + + * TARGET_NETWORKS code was accidentaly removed in 04_debianitis.dpatch, now + restored (closes: #336532) + + -- Eduard Bloch Wed, 02 Nov 2005 09:07:12 +0100 + +vpnc (0.3.3+SVN20051028-1) unstable; urgency=low + + * new upstream snapshot + + includes a password string deobfuscater + + a bash specific loop construct has been rewritten (closes: #335989) + * inserts another default default value into setup variables (now + really closes: #334203, #335518) + * fallback to $configname.conf file scheme (closes: #335383) + * vpnc-script tries to open the device for 10 seconds after the module has + been loaded, to work around udev's timing problems (closes: #281663) + + -- Eduard Bloch Fri, 28 Oct 2005 16:08:00 +0200 + +vpnc (0.3.3+SVN20050909-5) unstable; urgency=low + + * set the default string "No" for DNS_UPDATE (closes: #334699) + * do not see any additional routes sent by the server when the + TARGET_NETWORKS is set (closes: #334203) + + -- Eduard Bloch Thu, 13 Oct 2005 22:14:39 +0200 + +vpnc (0.3.3+SVN20050909-4) unstable; urgency=low + + * added the magic [ words to the test commands in the new hooks + (closes: #333813) + + -- Eduard Bloch Thu, 13 Oct 2005 12:47:15 +0200 + +vpnc (0.3.3+SVN20050909-3) unstable; urgency=low + + * this should be the "good third revision" of 0.3.3 (closes: #314941) + * correct fixes for the DNSUpdate option check (for every corner case) and + patch merge errors in the TARGET_NETWORKS execution (closes: #333312) + * added a hook to vpnc-script to execute + /etc/vpnc/vpnc-script-disconnect-action on disconnect, if found. Create it + or even modify vpnc-script as needed. (closes: #254032) + * also added a hook for /etc/vpnc/vpnc-script-disconnect-action to add + custom stuff there (closes: #299472) + + -- Eduard Bloch Thu, 13 Oct 2005 12:43:23 +0200 + +vpnc (0.3.3+SVN20050909-2) unstable; urgency=low + + * fixed typo in vpnc-script patch which was causing the resolv.conf update + though disabled in the config + + -- Eduard Bloch Wed, 12 Oct 2005 01:11:44 +0200 + +vpnc (0.3.3+SVN20050909-1) unstable; urgency=low + + * New upstream release + + all functionality of vpnc-connect moved to vpnc and vpnc-script + * migrated additional vpnc-connect functionality (resolvconf, Target + Networks, DNSUpdate options) to vpnc-script and vpnc source + * set transitional symlink vpnc-connect (-> vpnc) + * reduced default MTU to 1390 to work around problems seen while testing + + -- Eduard Bloch Mon, 10 Oct 2005 12:22:42 +0200 + +vpnc (0.3.2+SVN20050326-2) unstable; urgency=high + + * added a check for having a slash in the config file specification (now it + really accepts absolute paths only and not some random, or even malicious, + script from the current directory). Before, it was like having "." on the + first place in root's $PATH. + * also reverted the vpnc binary lookup order to limit possible effects of + a similar problem + + -- Eduard Bloch Thu, 05 May 2005 19:39:05 +0200 + +vpnc (0.3.2+SVN20050326-1) unstable; urgency=low + + * New upstream SVN snapshot + + reported to solve 64bit problems (closes: #282732) + + -- Eduard Bloch Sat, 26 Mar 2005 10:58:35 +0100 + +vpnc (0.3.2+SVN20041123-1) unstable; urgency=low + + * New upstream release and update + * Changed the example gateway IP to one from the official example net + * do not try to run modprobe if there is no module support (closes: #281606) + + -- Eduard Bloch Tue, 23 Nov 2004 18:43:43 +0100 + +vpnc (0.3.1-1) unstable; urgency=low + + * New upstream release + * removed Interface name from the example config file - upstream request, + too many users tried to use this on kernel 2.2 :( + * added $@ to the vpnc call in vpnc-connect (closes: #274202) + * added /sbin to the PATH to reach ifconfig (closes: #278049) + + -- Eduard Bloch Sat, 13 Nov 2004 15:43:46 +0100 + +vpnc (0.2-rm+zomb.1-8) unstable; urgency=low + + * Rebuilt for libgcrypt11 + + -- Eduard Bloch Thu, 17 Jun 2004 16:37:41 +0200 + +vpnc (0.2-rm+zomb.1-7) unstable; urgency=low + + * pre-release upstream update + + keeping the same syslog facility after fork (closes: #251228) + + insecurity warnings in README.Debian and vpnc.8 (closes: #251935) + + general PIX support was added in the previous release (closes: #220233) + * changes to use dpatch + * upstream TODO file re-added (closes: #254034) + * patch from Wolfgang Ratzka to add direct gateway route even if Target + networks is set (closes: #253051) + + -- Eduard Bloch Wed, 26 May 2004 16:57:52 +0200 + +vpnc (0.2-rm+zomb.1-6) unstable; urgency=low + + * Made checks for tun_init be less precise to match on kernel 2.4 + + -- Eduard Bloch Wed, 26 May 2004 16:16:16 +0200 + +vpnc (0.2-rm+zomb.1-5) unstable; urgency=low + + * Fix of the fix of the last tree RC bugs, also use the right command [tm] + to display the help text, thanks to Michael Farmbauer (closes: #250839) + * More alternative checks for the tun driver presence + + -- Eduard Bloch Mon, 24 May 2004 18:12:05 +0200 + +vpnc (0.2-rm+zomb.1-4) unstable; urgency=low + + * Moved the config file argument into the quotes when specifying the + configuration script argument (closes: #250695, #250673, #240766) + * installing example config file into /etc/vpnc/ (closes: #246714) + * checking $1 before shift to not confuse dash + * made vpnc-connect be quiet if CONFIG_TUN=y was found in the guessed kernel + config file (closes: #250237) + + -- Eduard Bloch Mon, 17 May 2004 17:55:22 +0200 + +vpnc (0.2-rm+zomb.1-3) unstable; urgency=low + + * the third-time-lucky revision + * removed surrounding quotes in the DNS server list + + -- Eduard Bloch Sat, 15 May 2004 21:31:15 +0200 + +vpnc (0.2-rm+zomb.1-2) unstable; urgency=low + + * vpnc.c: Only warn about additional ("unknown") config directives in + debug mode (as it was done in -pre8 before) + * vpnc-connect: adding explicite routes to VPNed DNS servers if needed + * avoiding multi-line if-statements, report to break with some shell + + -- Eduard Bloch Fri, 14 May 2004 15:18:52 +0200 + +vpnc (0.2-rm+zomb.1-1) unstable; urgency=low + + * New upstream release + * resolvconf integration to implement DNS data update mechanism + + -- Eduard Bloch Fri, 14 May 2004 09:04:26 +0200 + +vpnc (0.2-rm+zomb-pre8-1) unstable; urgency=low + + * New upstream release + * added Interface name to the manpage example and a default value to the + vpnc-connect script + + -- Eduard Bloch Sun, 25 Apr 2004 10:56:01 +0200 + +vpnc (0.2-rm+zomb-pre7-4) unstable; urgency=low + + * Multiple config management patch by Tobias Oetiker + * Manpage updates based on the patch above + * Fixed the route check on the defaultroute restoring (thanks to Thomas + Deselaers, closes: #230806) + + -- Eduard Bloch Thu, 29 Jan 2004 11:06:00 +0100 + +vpnc (0.2-rm+zomb-pre7-3) unstable; urgency=low + + * Does not clobber the default route if custom routes have been defined + (successor of the #225776 fix), thanks to Steven Ihde (closes: #230201) + + -- Eduard Bloch Wed, 28 Jan 2004 20:23:10 +0100 + +vpnc (0.2-rm+zomb-pre7-2) unstable; urgency=low + + * vpnc-connect: allow customizable target routes in vpnc.conf + (closes: #225776) + * vpnc.c: don't bother about unknown options unless --debug is used + * merged relevant parts of the FreeBSD manpage Debian into out Linux + version, replaced hyphens with minus signs (\-) and stopped using the SGML + template. It just sucked. + + -- Eduard Bloch Thu, 18 Dec 2003 21:14:11 +0100 + +vpnc (0.2-rm+zomb-pre7-1) unstable; urgency=low + + * New upstream release + + vpnc-connect filters weird ip output (closes: #220495) + * Builds with the new libgcrypt generation, Build-Deps adjusted + * Typo in description fixed (closes: #220172) + + -- Eduard Bloch Thu, 18 Dec 2003 20:28:02 +0100 + +vpnc (0.2-rm+zomb-pre5-2) unstable; urgency=low + + * Fixed the test condition when looking for the tun device node + * vpnc.c: fixed --local-port description + * provisoric manpage written + + -- Eduard Bloch Mon, 3 Nov 2003 22:41:04 +0100 + +vpnc (0.2-rm+zomb-pre5-1) unstable; urgency=low + + * Initial Release (closes: #217838) + + -- Eduard Bloch Thu, 30 Oct 2003 07:08:26 +0100 + --- vpnc-0.4.0.orig/debian/control +++ vpnc-0.4.0/debian/control @@ -0,0 +1,21 @@ +Source: vpnc +Section: net +Priority: extra +Maintainer: Ubuntu MOTU Developers +XSBC-Original-Maintainer: Eduard Bloch +Build-Depends: debhelper (>= 4.0.0), libgcrypt11-dev, dpatch +Standards-Version: 3.6.2.1 + +Package: vpnc +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends} +Suggests: resolvconf +Description: Cisco-compatible VPN client + vpnc is a VPN client compatible with cisco3000 VPN Concentrator (also + known as Cisco's EasyVPN equipment). vpnc runs entirely in userspace + and does not require kernel modules except of the tun driver to + communicate with the network layer. + . + It supports most of the features needed to establish connection to the + VPN concentrator: MD5 and SHA1 hashes, 3DES and AES ciphers, PFS and + various IKE DH group settings. --- vpnc-0.4.0.orig/debian/copyright +++ vpnc-0.4.0/debian/copyright @@ -0,0 +1,24 @@ +This package was debianized by Eduard Bloch on +Mon, 27 Oct 2003 20:05:37 +0100. + +It was downloaded from http://www.unix-ag.uni-kl.de/~massar/vpnc/ and +will become an official repository on alioth.debian.org soon. + +Upstream Authors: + +Geoffrey Keating , 2002 +Maurice Massar , 2003 + +Copyright: + +This program is free software; you can redistribute it and/or modify +it under the terms of the GNU General Public License as published by +the Free Software Foundation; either version 2 of the License, or (at +your option) any later version. + +You can find the complete text of the GPLv2 in the file +/usr/share/common-licenses/GPL-2 on Debian systems. + +The source code contains parts of the isakmpd package which are licensed +under the BSD license, refer to /usr/share/common-license/BSD for +details. --- vpnc-0.4.0.orig/debian/compat +++ vpnc-0.4.0/debian/compat @@ -0,0 +1 @@ +4 --- vpnc-0.4.0.orig/debian/rules +++ vpnc-0.4.0/debian/rules @@ -0,0 +1,103 @@ +#!/usr/bin/make -f +# -*- makefile -*- +# Sample debian/rules that uses debhelper. +# GNU copyright 1997 to 1999 by Joey Hess. + +# Uncomment this to turn on verbose mode. +#export DH_VERBOSE=1 + +include /usr/share/dpatch/dpatch.make + +CFLAGS = -Wall -g + +ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) + CFLAGS += -O0 +else + CFLAGS += -O2 +endif +ifeq (,$(findstring nostrip,$(DEB_BUILD_OPTIONS))) + INSTALL_PROGRAM += -s +endif + +configure: configure-stamp +configure-stamp: + dh_testdir + # Add here commands to configure the package. + + touch configure-stamp + + +build: build-stamp + +build-stamp: configure-stamp patch + dh_testdir + + # Add here commands to compile the package. + $(MAKE) + #/usr/bin/docbook-to-man debian/vpnc.sgml > vpnc.1 + + touch build-stamp + +clean: unpatch + dh_testdir + dh_testroot + rm -f build-stamp configure-stamp + + # Add here commands to clean up after the build process. + -$(MAKE) distclean + + dh_clean + +install: build + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + + # Add here commands to install the package into debian/vpnc. + cp vpnc vpnc-disconnect debian/vpnc/usr/sbin/ + install -m755 pcf2vpnc debian/vpnc/usr/share/vpnc/ + install -D -m600 vpnc.conf debian/vpnc/etc/vpnc/example.conf + install -D -m755 vpnc-script debian/vpnc/etc/vpnc/vpnc-script + chmod 700 debian/vpnc/etc/vpnc + +# Build architecture-independent files here. +binary-indep: build install +# We have nothing to do by default. + +# Build architecture-dependent files here. +binary-arch: build install + dh_testdir + dh_testroot + dh_installchangelogs + dh_installdocs + dh_installexamples + dh_link -pvpnc /usr/sbin/vpnc /usr/sbin/vpnc-connect +# dh_install +# dh_installmenu +# dh_installdebconf +# dh_installlogrotate +# dh_installemacsen +# dh_installpam +# dh_installmime +# dh_installinit +# dh_installcron +# dh_installinfo + dh_installman vpnc.8 + ln -sf vpnc.8.gz debian/vpnc/usr/share/man/man8/vpnc-connect.8.gz + ln -sf vpnc.8.gz debian/vpnc/usr/share/man/man8/vpnc-disconnect.8.gz + dh_link + dh_strip + dh_compress + dh_fixperms -X/etc/vpnc +# dh_perl +# dh_python +# dh_makeshlibs + dh_installdeb + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install configure