removed NAT_TRAVERSAL and VIRTUAL_IP compile options
authorAndreas Steffen <andreas.steffen@strongswan.org>
Fri, 7 Jul 2006 05:50:02 +0000 (05:50 -0000)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Fri, 7 Jul 2006 05:50:02 +0000 (05:50 -0000)
21 files changed:
src/pluto/Makefile.am
src/pluto/connections.c
src/pluto/connections.h
src/pluto/demux.c
src/pluto/demux.h
src/pluto/ipsec_doi.c
src/pluto/kernel.c
src/pluto/kernel.h
src/pluto/kernel_netlink.c
src/pluto/kernel_pfkey.c
src/pluto/keys.c
src/pluto/nat_traversal.c
src/pluto/plutomain.c
src/pluto/rcv_whack.c
src/pluto/server.c
src/pluto/server.h
src/pluto/spdb.c
src/pluto/state.h
src/pluto/timer.c
src/pluto/vendor.c
src/pluto/virtual.c

index fb07bb8..825b982 100644 (file)
@@ -24,7 +24,7 @@ _pluto_adns_SOURCES = adns.c adns.h
 
 INCLUDES = -I$(top_srcdir)/src/libfreeswan -I$(top_srcdir)/src/libcrypto -I$(top_srcdir)/src/whack
 AM_CFLAGS = -DIPSEC_DIR=\"${ipsecdir}\" -DIPSEC_CONFDIR=\"${confdir}\" -DIPSEC_PIDDIR=\"${piddir}\" \
--DDEBUG -DKERNEL26_SUPPORT -DKERNEL26_HAS_KAME_DUPLICATES -DNAT_TRAVERSAL -DVIRTUAL_IP -DPLUTO \
+-DDEBUG -DKERNEL26_SUPPORT -DKERNEL26_HAS_KAME_DUPLICATES -DPLUTO \
 -DVENDORID -DSHARED_SECRETS_FILE=\"${confdir}/ipsec.secrets\" -DTHREADS -DKLIPS
 pluto_LDADD = $(top_srcdir)/src/libfreeswan/libfreeswan.a $(top_srcdir)/src/libcrypto/libcrypto.a -lgmp -lresolv -lpthread
 _pluto_adns_LDADD = -lresolv $(top_srcdir)/src/libfreeswan/libfreeswan.a
index d565fe6..77fd9bf 100644 (file)
 #include "whack.h"
 #include "alg_info.h"
 #include "ike_alg.h"
-#ifdef NAT_TRAVERSAL
 #include "nat_traversal.h"
-#endif
-
-#ifdef VIRTUAL_IP
 #include "virtual.h"
-#endif
 
 static void flush_pending_by_connection(struct connection *c); /* forward */
 
@@ -114,8 +109,8 @@ find_host_pair(const ip_address *myaddr, u_int16_t myport
     if (hisaddr == NULL)
        hisaddr = aftoinfo(addrtypeof(myaddr))->any;
        
-#ifdef NAT_TRAVERSAL
-    if (nat_traversal_enabled) {
+    if (nat_traversal_enabled)
+    {
        /**
         * port is not relevant in host_pair. with nat_traversal we
         * always use pluto_port (500)
@@ -123,7 +118,6 @@ find_host_pair(const ip_address *myaddr, u_int16_t myport
        myport = pluto_port;
        hisport = pluto_port;
     }
-#endif
 
     for (prev = NULL, p = host_pairs; p != NULL; prev = p, p = p->next)
     {
@@ -149,17 +143,17 @@ find_host_pair_connections(const ip_address *myaddr, u_int16_t myport
 {
     struct host_pair *hp = find_host_pair(myaddr, myport, hisaddr, hisport);
 
-#ifdef NAT_TRAVERSAL
-    if (nat_traversal_enabled && hp && hisaddr) {
+    if (nat_traversal_enabled && hp && hisaddr)
+    {
        struct connection *c;
-       for (c = hp->connections; c != NULL; c = c->hp_next) {
-           if ((c->spd.this.host_port==myport) && (c->spd.that.host_port==hisport))
+
+       for (c = hp->connections; c != NULL; c = c->hp_next)
+       {
+           if (c->spd.this.host_port == myport && c->spd.that.host_port == hisport)
                return c;
        }
        return NULL;
     }
-#endif
-
     return hp == NULL? NULL : hp->connections;
 }
 
@@ -177,13 +171,8 @@ connect_to_host_pair(struct connection *c)
            hp = alloc_thing(struct host_pair, "host_pair");
            hp->me.addr = c->spd.this.host_addr;
            hp->him.addr = c->spd.that.host_addr;
-#ifdef NAT_TRAVERSAL
            hp->me.port = nat_traversal_enabled ? pluto_port : c->spd.this.host_port;
            hp->him.port = nat_traversal_enabled ? pluto_port : c->spd.that.host_port;
-#else
-           hp->me.port = c->spd.this.host_port;
-           hp->him.port = c->spd.that.host_port;
-#endif    
            hp->initial_connection_sent = FALSE;
            hp->connections = NULL;
            hp->pending = NULL;
@@ -333,9 +322,8 @@ delete_connection(struct connection *c, bool relations)
        }
     }
 
-#ifdef VIRTUAL_IP
-    if (c->kind != CK_GOING_AWAY) pfreeany(c->spd.that.virt);
-#endif
+    if (c->kind != CK_GOING_AWAY)
+       pfreeany(c->spd.that.virt);
 
 #ifdef DEBUG
     cur_debugging = old_cur_debugging;
@@ -573,12 +561,10 @@ format_end(char *buf
 
     client[0] = '\0';
 
-#ifdef VIRTUAL_IP
     if (is_virtual_end(this) && isanyaddr(&this->host_addr))
     {
        host = "%virtual";
     }
-#endif
 
     /* [client===] */
     if (this->has_client)
@@ -915,14 +901,14 @@ check_connection_end(const whack_end_t *this, const whack_end_t *that
            return FALSE;
        }
     }
-#ifdef VIRTUAL_IP
+
     if (this->virt && (!isanyaddr(&this->host_addr) || this->has_client))
     {
        loglog(RC_CLASH,
            "virtual IP must only be used with %%any and without client");
        return FALSE;
     }
-#endif
+
     return TRUE;       /* happy */
 }
 
@@ -1125,7 +1111,6 @@ add_connection(const whack_message_t *wm)
 
        c->gw_info = NULL;
 
-#ifdef VIRTUAL_IP
        passert(!(wm->left.virt && wm->right.virt));
        if (wm->left.virt || wm->right.virt)
        {
@@ -1135,7 +1120,6 @@ add_connection(const whack_message_t *wm)
            if (c->spd.that.virt)
                c->spd.that.has_client = TRUE;
        }
-#endif
 
        unshare_connection_strings(c);
        (void)orient(c);
@@ -1220,13 +1204,11 @@ add_group_instance(struct connection *group, const ip_subnet *target)
 
        t->spd.reqid = gen_reqid();
 
-#ifdef VIRTUAL_IP
        if (t->spd.that.virt)
        {
            DBG_log("virtual_ip not supported in group instance");
            t->spd.that.virt = NULL;    
        }
-#endif
 
        /* add to connections list */
        t->ac_next = connections;
@@ -1268,9 +1250,7 @@ remove_group_instance(const struct connection *group USED_BY_DEBUG
  */
 static struct connection *
 instantiate(struct connection *c, const ip_address *him
-#ifdef NAT_TRAVERSAL
 , u_int16_t his_port
-#endif
 , const struct id *his_id)
 {
     struct connection *d;
@@ -1295,9 +1275,9 @@ instantiate(struct connection *c, const ip_address *him
     passert(oriented(*d));
     d->spd.that.host_addr = *him;
     setportof(htons(c->spd.that.port), &d->spd.that.host_addr);
-#ifdef NAT_TRAVERSAL
+
     if (his_port) d->spd.that.host_port = his_port;
-#endif    
+
     default_end(&d->spd.that, &d->spd.this.host_addr);
 
     /* We cannot guess what our next_hop should be, but if it was
@@ -1327,23 +1307,11 @@ instantiate(struct connection *c, const ip_address *him
 }
 
 struct connection *
-rw_instantiate(struct connection *c
-, const ip_address *him
-#ifdef NAT_TRAVERSAL
-, u_int16_t his_port
-#endif
-#ifdef VIRTUAL_IP
-, const ip_subnet *his_net
-#endif
-, const struct id *his_id)
+rw_instantiate(struct connection *c, const ip_address *him, u_int16_t his_port
+, const ip_subnet *his_net, const struct id *his_id)
 {
-#ifdef NAT_TRAVERSAL
     struct connection *d = instantiate(c, him, his_port, his_id);
-#else
-    struct connection *d = instantiate(c, him, his_id);
-#endif
 
-#ifdef VIRTUAL_IP
     if (d && his_net && is_virtual_connection(c))
     {
        d->spd.that.client = *his_net;
@@ -1351,7 +1319,6 @@ rw_instantiate(struct connection *c
        if (subnetishost(his_net) && addrinsubnet(him, his_net))
            d->spd.that.has_client = FALSE;
     }
-#endif
 
     if (d->policy & POLICY_OPPO)
     {
@@ -1374,11 +1341,7 @@ oppo_instantiate(struct connection *c
 , const ip_address *our_client USED_BY_DEBUG
 , const ip_address *peer_client)
 {
-#ifdef NAT_TRAVERSAL
     struct connection *d = instantiate(c, him, 0, his_id);
-#else
-    struct connection *d = instantiate(c, him, his_id);
-#endif 
 
     passert(d->spd.next == NULL);
 
@@ -1510,13 +1473,12 @@ fmt_conn_instance(const struct connection *c, char buf[CONN_INST_BUF])
        {
            *p++ = ' ';
            addrtot(&c->spd.that.host_addr, 0, p, ADDRTOT_BUF);
-#ifdef NAT_TRAVERSAL
+#
            if (c->spd.that.host_port != pluto_port)
            {
                p += strlen(p);
                sprintf(p, ":%d", c->spd.that.host_port);
            }
-#endif     
        }
     }
 }
@@ -1775,9 +1737,9 @@ orient(struct connection *c)
             */
            for (p = interfaces; p != NULL; p = p->next)
            {
-#ifdef NAT_TRAVERSAL
-               if (p->ike_float) continue;
-#endif         
+               if (p->ike_float)
+                   continue;
+
                for (;;)
                {
                    /* check if this interface matches this end */
@@ -3083,18 +3045,11 @@ ISAKMP_SA_established(struct connection *c, so_serial_t serial)
        {
            struct connection *next = d->ac_next;       /* might move underneath us */
 
-#ifdef NAT_TRAVERSAL
            if (d->kind >= CK_PERMANENT 
            && same_id(&c->spd.this.id, &d->spd.this.id)
            && same_id(&c->spd.that.id, &d->spd.that.id)
            && (!sameaddr(&c->spd.that.host_addr, &d->spd.that.host_addr) ||
-           (c->spd.that.host_port != d->spd.that.host_port)))
-#else
-           if (d->kind >= CK_PERMANENT
-           && same_id(&c->spd.this.id, &d->spd.this.id)
-           && same_id(&c->spd.that.id, &d->spd.that.id)
-           && !sameaddr(&c->spd.that.host_addr, &d->spd.that.host_addr))
-#endif
+              (c->spd.that.host_port != d->spd.that.host_port)))
            {
                release_connection(d, FALSE);
            }
@@ -3418,16 +3373,16 @@ refine_host_connection(const struct state *st, const struct id *peer_id
            if (d->policy & POLICY_GROUP)
                continue;
 
-#ifdef NAT_TRAVERSAL
            if (c->spd.that.host_port != d->spd.that.host_port
            && d->kind == CK_INSTANCE)
+           {
                continue;
-#endif
+           }
 
            /* authentication used must fit policy of this connection */
            if ((d->policy & auth_policy) == LEMPTY)
                continue;       /* our auth isn't OK for this connection */
-           
+
            switch (auth)
            {
            case OAKLEY_PRESHARED_KEY:
@@ -3490,7 +3445,6 @@ refine_host_connection(const struct state *st, const struct id *peer_id
     }
 }
 
-#ifdef VIRTUAL_IP
 /**
  * With virtual addressing, we must not allow someone to use an already
  * used (by another id) addr/net.
@@ -3528,7 +3482,6 @@ is_virtual_net_used(const ip_subnet *peer_net, const struct id *peer_id)
     }
     return FALSE; /* you can safely use it */
 }
-#endif
 
 /* find_client_connection: given a connection suitable for ISAKMP
  * (i.e. the hosts match), find a one suitable for IPSEC
@@ -3646,18 +3599,12 @@ fc_try(const struct connection *c
                }
                else
                {
-#ifdef VIRTUAL_IP
-                   if ((!samesubnet(&sr->that.client, peer_net)) && (!is_virtual_connection(d)))
-#else
-                   if (!samesubnet(&sr->that.client, peer_net))
-#endif
+                   if (!samesubnet(&sr->that.client, peer_net) && !is_virtual_connection(d))
                        continue;
-#ifdef VIRTUAL_IP
                    if (is_virtual_connection(d)
-                   && ( (!is_virtual_net_allowed(d, peer_net, &c->spd.that.host_addr))
+                   && (!is_virtual_net_allowed(d, peer_net, &c->spd.that.host_addr)
                        || is_virtual_net_used(peer_net, peer_id?peer_id:&c->spd.that.id)))
                            continue;
-#endif
                }
            }
            else
@@ -4296,14 +4243,12 @@ update_pending(struct state *os, struct state *ns)
     {
        if (p->isakmp_sa == os)
            p->isakmp_sa = ns;
-#ifdef NAT_TRAVERSAL
        if (p->connection->spd.this.host_port != ns->st_connection->spd.this.host_port)
        {
            p->connection->spd.this.host_port = ns->st_connection->spd.this.host_port;
            p->connection->spd.that.host_port = ns->st_connection->spd.that.host_port;
        }
-#endif
-    }      
+    }
 }
 
 /* a Main Mode negotiation has failed; discard any pending */
index fd7abaa..aab5c84 100644 (file)
@@ -126,9 +126,7 @@ typedef unsigned long policy_prio_t;
 #define POLICY_PRIO_BUF        (3+1+3+1)
 extern void fmt_policy_prio(policy_prio_t pp, char buf[POLICY_PRIO_BUF]);
 
-#ifdef VIRTUAL_IP
 struct virtual_t;
-#endif
 
 struct end {
     struct id id;
@@ -151,9 +149,7 @@ struct end {
     chunk_t ca;                        /* CA distinguished name */
     struct ietfAttrList *groups;/* access control groups */
     smartcard_t *sc;           /* smartcard reader and key info */
-#ifdef VIRTUAL_IP
     struct virtual_t *virt;
-#endif 
     bool modecfg;              /* this end: request local address from server */
                                /* that end: give local addresses to clients */
     bool hostaccess;           /* allow access to host via iptables INPUT/OUTPUT */
@@ -305,12 +301,8 @@ struct gw_info;    /* forward declaration of tag (defined in dnskey.h) */
 struct alg_info;       /* forward declaration of tag (defined in alg_info.h) */
 extern struct connection *rw_instantiate(struct connection *c
                                         , const ip_address *him
-#ifdef NAT_TRAVERSAL
                                         , u_int16_t his_port
-#endif
-#ifdef VIRTUAL_IP
                                         , const ip_subnet *his_net
-#endif                                  
                                         , const struct id *his_id);
 
 extern struct connection *oppo_instantiate(struct connection *c
@@ -366,12 +358,9 @@ extern struct connection *eclipsed(struct connection *c, struct spd_route **);
 
 extern void show_connections_status(bool all, const char *name);
 extern int  connection_compare(const struct connection *ca
-                              , const struct connection *cb);
-#ifdef NAT_TRAVERSAL
-void
-update_host_pair(const char *why, struct connection *c,
-       const ip_address *myaddr, u_int16_t myport ,
-       const ip_address *hisaddr, u_int16_t hisport);
-#endif /* NAT_TRAVERSAL */
+    , const struct connection *cb);
+extern void update_host_pair(const char *why, struct connection *c
+    , const ip_address *myaddr, u_int16_t myport
+    , const ip_address *hisaddr, u_int16_t hisport);
 
 #endif /* _CONNECTIONS_H */
index eaacd3e..10544b2 100644 (file)
 #include "timer.h"
 #include "whack.h"     /* requires connections.h */
 #include "server.h"
-#ifdef NAT_TRAVERSAL
 #include "nat_traversal.h"
-#endif
 #include "vendor.h"
 #include "modecfg.h"
 
@@ -273,11 +271,7 @@ static const struct state_microcode state_microcode_table[] = {
      */
     { STATE_MAIN_R1, STATE_MAIN_R2
     , SMF_PSK_AUTH | SMF_DS_AUTH | SMF_REPLY
-#ifdef NAT_TRAVERSAL
     , P(KE) | P(NONCE), P(VID) | P(CR) | P(NATD_RFC), PT(KE)
-#else
-    , P(KE) | P(NONCE), P(VID) | P(CR), PT(KE)
-#endif    
     , EVENT_RETRANSMIT, main_inI2_outR2 },
 
     { STATE_MAIN_R1, STATE_UNDEFINED
@@ -302,11 +296,7 @@ static const struct state_microcode state_microcode_table[] = {
      */
     { STATE_MAIN_I2, STATE_MAIN_I3
     , SMF_PSK_AUTH | SMF_DS_AUTH | SMF_INITIATOR | SMF_OUTPUT_ENCRYPTED | SMF_REPLY
-#ifdef NAT_TRAVERSAL
     , P(KE) | P(NONCE), P(VID) | P(CR) | P(NATD_RFC), PT(ID)
-#else
-    , P(KE) | P(NONCE), P(VID) | P(CR), PT(ID)
-#endif    
     , EVENT_RETRANSMIT, main_inR2_outI3 },
 
     { STATE_MAIN_I2, STATE_UNDEFINED
@@ -397,11 +387,7 @@ static const struct state_microcode state_microcode_table[] = {
      */
     { STATE_QUICK_R0, STATE_QUICK_R1
     , SMF_ALL_AUTH | SMF_ENCRYPTED | SMF_REPLY
-#ifdef NAT_TRAVERSAL
     , P(HASH) | P(SA) | P(NONCE), /* P(SA) | */ P(KE) | P(ID) | P(NATOA_RFC), PT(NONE)
-#else
-    , P(HASH) | P(SA) | P(NONCE), /* P(SA) | */ P(KE) | P(ID), PT(NONE)
-#endif
     , EVENT_RETRANSMIT, quick_inI1_outR1 },
 
     /* STATE_QUICK_I1:
@@ -412,11 +398,7 @@ static const struct state_microcode state_microcode_table[] = {
      */
     { STATE_QUICK_I1, STATE_QUICK_I2
     , SMF_ALL_AUTH | SMF_INITIATOR | SMF_ENCRYPTED | SMF_REPLY
-#ifdef NAT_TRAVERSAL
     , P(HASH) | P(SA) | P(NONCE), /* P(SA) | */ P(KE) | P(ID) | P(NATOA_RFC), PT(HASH)
-#else
-    , P(HASH) | P(SA) | P(NONCE), /* P(SA) | */ P(KE) | P(ID), PT(HASH)
-#endif
     , EVENT_SA_REPLACE, quick_inR1_outI2 },
 
     /* STATE_QUICK_R1: HDR*, HASH(3) --> done
@@ -744,7 +726,6 @@ check_msg_errqueue(const struct iface *ifp, short interest)
                    /* note dirty trick to suppress ~ at start of format
                     * if we know what state to blame.
                     */
-#ifdef NAT_TRAVERSAL
                    if ((packet_len == 1) && (buffer[0] = 0xff)
 #ifdef DEBUG
                        && ((cur_debugging & DBG_NATT) == 0)
@@ -755,7 +736,6 @@ check_msg_errqueue(const struct iface *ifp, short interest)
                             */
                    }
                    else
-#endif              
                    plog((sender != NULL) + "~"
                        "ERROR: asynchronous network error report on %s"
                        "%s"
@@ -793,24 +773,19 @@ check_msg_errqueue(const struct iface *ifp, short interest)
 #endif /* defined(IP_RECVERR) && defined(MSG_ERRQUEUE) */
 
 bool
-#ifdef NAT_TRAVERSAL
-_send_packet(struct state *st, const char *where, bool verbose)
-#else
 send_packet(struct state *st, const char *where)
-#endif
 {
     struct connection *c = st->st_connection;
     int port_buf;
     bool err;
-
-#ifdef NAT_TRAVERSAL
     u_int8_t ike_pkt[MAX_OUTPUT_UDP_SIZE];
     u_int8_t *ptr;
     unsigned long len;
 
-    if ((c->interface->ike_float == TRUE) && (st->st_tpacket.len != 1)) {
-       if ((unsigned long) st->st_tpacket.len >
-           (MAX_OUTPUT_UDP_SIZE-sizeof(u_int32_t))) {
+    if (c->interface->ike_float && st->st_tpacket.len != 1)
+    {
+       if ((unsigned long) st->st_tpacket.len > (MAX_OUTPUT_UDP_SIZE-sizeof(u_int32_t)))
+       {
            DBG_log("send_packet(): really too big");
            return FALSE;
        }
@@ -821,11 +796,11 @@ send_packet(struct state *st, const char *where)
            (unsigned long)st->st_tpacket.len);
        len = (unsigned long) st->st_tpacket.len + sizeof(u_int32_t);
     }
-    else {
+    else
+    {
        ptr = st->st_tpacket.ptr;
        len = (unsigned long) st->st_tpacket.len;
     }
-#endif
 
     DBG(DBG_RAW,
        {
@@ -850,28 +825,19 @@ send_packet(struct state *st, const char *where)
     (void) check_msg_errqueue(c->interface, POLLOUT);
 #endif /* defined(IP_RECVERR) && defined(MSG_ERRQUEUE) */
 
-#ifdef NAT_TRAVERSAL
     err = sendto(c->interface->fd
        , ptr, len, 0
        , sockaddrof(&c->spd.that.host_addr)
        , sockaddrlenof(&c->spd.that.host_addr)) != (ssize_t)len;
-#else
-    err = sendto(c->interface->fd
-       , st->st_tpacket.ptr, st->st_tpacket.len, 0
-       , sockaddrof(&c->spd.that.host_addr)
-       , sockaddrlenof(&c->spd.that.host_addr)) != (ssize_t)st->st_tpacket.len;
-#endif
 
     /* restore port */
     setportof(port_buf, &c->spd.that.host_addr);
 
     if (err)
     {
-#ifdef NAT_TRAVERSAL
-        /* do not log NAT-T Keep Alive packets */
-        if (!verbose)
-           return FALSE;
-#endif
+       /* do not log NAT-T Keep Alive packets */
+        if (streq(where, "NAT-T Keep Alive"))
+           return FALSE;
        log_errno((e, "sendto on %s to %s:%u failed in %s"
            , c->interface->rname
            , ip_str(&c->spd.that.host_addr)
@@ -1141,16 +1107,19 @@ read_packet(struct msg_digest *md)
     cur_from = &md->sender;
     cur_from_port = md->sender_port;
 
-#ifdef NAT_TRAVERSAL
-    if (ifp->ike_float == TRUE) {
+    if (ifp->ike_float == TRUE)
+    {
        u_int32_t non_esp;
-       if (packet_len < (int)sizeof(u_int32_t)) {
+
+       if (packet_len < (int)sizeof(u_int32_t))
+       {
            plog("recvfrom %s:%u too small packet (%d)"
                , ip_str(cur_from), (unsigned) cur_from_port, packet_len);
            return FALSE;
        }
        memcpy(&non_esp, buffer, sizeof(u_int32_t));
-       if (non_esp != 0) {
+       if (non_esp != 0)
+       {
            plog("recvfrom %s:%u has no Non-ESP marker"
                , ip_str(cur_from), (unsigned) cur_from_port);
            return FALSE;
@@ -1161,7 +1130,6 @@ read_packet(struct msg_digest *md)
        pfree(buffer);
        buffer = buffer_nat;
     }
-#endif
 
     /* Clone actual message contents
      * and set up md->packet_pbs to describe it.
@@ -1180,21 +1148,20 @@ read_packet(struct msg_digest *md)
     DBG(DBG_RAW,
        DBG_dump("", md->packet_pbs.start, pbs_room(&md->packet_pbs)));
 
-#ifdef NAT_TRAVERSAL
-       if ((pbs_room(&md->packet_pbs)==1) && (md->packet_pbs.start[0]==0xff)) {
-               /**
-                * NAT-T Keep-alive packets should be discared by kernel ESPinUDP
-                * layer. But boggus keep-alive packets (sent with a non-esp marker)
-                * can reach this point. Complain and discard them.
-                */
-               DBG(DBG_NATT,
-                       DBG_log("NAT-T keep-alive (boggus ?) should not reach this point. "
-                               "Ignored. Sender: %s:%u", ip_str(cur_from),
-                               (unsigned) cur_from_port);
-                       );
-               return FALSE;
+       if ((pbs_room(&md->packet_pbs)==1) && (md->packet_pbs.start[0]==0xff))
+       {
+           /**
+            * NAT-T Keep-alive packets should be discared by kernel ESPinUDP
+            * layer. But boggus keep-alive packets (sent with a non-esp marker)
+            * can reach this point. Complain and discard them.
+            */
+           DBG(DBG_NATT,
+               DBG_log("NAT-T keep-alive (boggus ?) should not reach this point. "
+                       "Ignored. Sender: %s:%u", ip_str(cur_from),
+                       (unsigned) cur_from_port);
+           )
+           return FALSE;
        }
-#endif
 
 #define IKEV2_VERSION_OFFSET   17
 #define IKEV2_VERSION          0x20
@@ -1809,12 +1776,12 @@ process_packet(struct msg_digest **mdp)
                return;
            }
 
-#ifdef NAT_TRAVERSAL
            switch (np)
            {
                case ISAKMP_NEXT_NATD_RFC:
                case ISAKMP_NEXT_NATOA_RFC:
-                   if ((!st) || (!(st->nat_traversal & NAT_T_WITH_RFC_VALUES))) {
+                   if (!st || !(st->nat_traversal & NAT_T_WITH_RFC_VALUES))
+                   {
                        /*
                         * don't accept NAT-D/NAT-OA reloc directly in message, unless
                         * we're using NAT-T RFC
@@ -1823,7 +1790,6 @@ process_packet(struct msg_digest **mdp)
                    }
                    break;
            }
-#endif
 
            if (sd == NULL)
            {
@@ -1834,7 +1800,6 @@ process_packet(struct msg_digest **mdp)
                    sd = IS_PHASE1(from_state)
                        ? &isakmp_identification_desc : &isakmp_ipsec_identification_desc;
                    break;
-#ifdef NAT_TRAVERSAL
                case ISAKMP_NEXT_NATD_DRAFTS:
                    np = ISAKMP_NEXT_NATD_RFC;  /* NAT-D relocated */
                    sd = payload_descs[np];
@@ -1843,7 +1808,6 @@ process_packet(struct msg_digest **mdp)
                    np = ISAKMP_NEXT_NATOA_RFC;  /* NAT-OA relocated */
                    sd = payload_descs[np];
                    break;
-#endif             
                default:
                    loglog(RC_LOG_SERIOUS, "%smessage ignored because it contains an unknown or"
                        " unexpected payload type (%s) at the outermost level"
@@ -2107,10 +2071,8 @@ complete_state_transition(struct msg_digest **mdp, stf_status result)
                clonetochunk(st->st_tpacket, md->reply.start
                    , pbs_offset(&md->reply), "reply packet");
 
-#ifdef NAT_TRAVERSAL
                if (nat_traversal_enabled)
                    nat_traversal_change_port_lookup(md, md->st);
-#endif
 
                /* actually send the packet
                 * Note: this is a great place to implement "impairments"
@@ -2293,7 +2255,6 @@ complete_state_transition(struct msg_digest **mdp, stf_status result)
                    /* advance b to end of string */
                    b = b + strlen(b);
 
-#ifdef NAT_TRAVERSAL
                    if (st->nat_traversal)
                    {
                        char oa[ADDRTOT_BUF];
@@ -2304,7 +2265,6 @@ complete_state_transition(struct msg_digest **mdp, stf_status result)
                        ini = " ";
                        fin = "}";
                    }
-#endif
 
                    /* advance b to end of string */
                    b = b + strlen(b);
index 7adac44..63a8380 100644 (file)
 
 struct state;  /* forward declaration of tag */
 extern void init_demux(void);
-#ifdef NAT_TRAVERSAL
-#define send_packet(st,wh) _send_packet(st,wh,TRUE)
-extern bool _send_packet(struct state *st, const char *where, bool verbose);
-#else
 extern bool send_packet(struct state *st, const char *where);
-#endif
 extern void comm_handle(const struct iface *ifp);
 
 extern u_int8_t reply_buffer[MAX_OUTPUT_UDP_SIZE];
@@ -74,9 +69,7 @@ struct msg_digest {
        digest[PAYLIMIT],
        *digest_roof,
        *chain[ISAKMP_NEXT_ROOF];
-#ifdef NAT_TRAVERSAL
        unsigned short nat_traversal_vid;
-#endif 
 };
 
 extern void release_md(struct msg_digest *md);
index a4e86a9..9323427 100644 (file)
 #include "alg_info.h"
 #include "ike_alg.h"
 #include "kernel_alg.h"
-#ifdef NAT_TRAVERSAL
 #include "nat_traversal.h"
-#endif
-#ifdef VIRTUAL_IP
 #include "virtual.h"
-#endif
 
 /*
  * are we sending Pluto's Vendor ID?
@@ -769,10 +765,10 @@ accept_delete(struct state *st, struct msg_digest *md, struct payload_digest *p)
                
                oldc = cur_connection;
                set_cur_connection(dst->st_connection);
-#ifdef NAT_TRAVERSAL
+
                if (nat_traversal_enabled)
                    nat_traversal_change_port_lookup(md, dst);
-#endif
+
                loglog(RC_LOG_SERIOUS, "received Delete SA payload: "
                    "deleting ISAKMP State #%lu", dst->st_serialno);
                delete_state(dst);
@@ -806,10 +802,9 @@ accept_delete(struct state *st, struct msg_digest *md, struct payload_digest *p)
                oldc = cur_connection;
                set_cur_connection(rc);
 
-#ifdef NAT_TRAVERSAL
                if (nat_traversal_enabled)
                    nat_traversal_change_port_lookup(md, dst);
-#endif
+
                if (rc->newest_ipsec_sa == dst->st_serialno
                && (rc->policy & POLICY_UP))
                    {
@@ -902,10 +897,8 @@ main_outI1(int whack_sock, struct connection *c, struct state *predecessor
        vids_to_send++;
     /* always send DPD Vendor ID */
        vids_to_send++;
-#ifdef NAT_TRAVERSAL
     if (nat_traversal_enabled)
        vids_to_send++;
-#endif
 
    get_cookie(TRUE, st->st_icookie, COOKIE_SIZE, &c->spd.that.host_addr);
 
@@ -1004,7 +997,6 @@ main_outI1(int whack_sock, struct connection *c, struct state *predecessor
        }
     }
 
-#ifdef NAT_TRAVERSAL
     if (nat_traversal_enabled)
     {
        /* Add supported NAT-Traversal VID */
@@ -1015,7 +1007,6 @@ main_outI1(int whack_sock, struct connection *c, struct state *predecessor
            return STF_INTERNAL_ERROR;
        }
     }
-#endif
 
     close_message(&rbody);
     close_output_pbs(&reply);
@@ -2043,7 +2034,6 @@ quick_outI1(int whack_sock
             , replacing
             , isakmp_sa->st_serialno);
 
-#ifdef NAT_TRAVERSAL
     if (isakmp_sa->nat_traversal & NAT_T_DETECTED)
     {
        /* Duplicate nat_traversal status in new state */
@@ -2066,7 +2056,6 @@ quick_outI1(int whack_sock
        np = (st->nat_traversal & NAT_T_WITH_RFC_VALUES) ?
                  ISAKMP_NEXT_NATOA_RFC : ISAKMP_NEXT_NATOA_DRAFTS;
     }
-#endif
 
     /* set up reply */
     init_pbs(&reply, reply_buffer, sizeof(reply_buffer), "reply packet");
@@ -2162,7 +2151,6 @@ quick_outI1(int whack_sock
        }
     }
 
-#ifdef NAT_TRAVERSAL
     /* Send NAT-OA if our address is NATed */
     if (send_natoa)
     {
@@ -2172,7 +2160,6 @@ quick_outI1(int whack_sock
            return STF_INTERNAL_ERROR;
        }
     }
-#endif
 
     /* finish computing  HASH(1), inserting it in output */
     (void) quick_mode_hash12(r_hashval, r_hash_start, rbody.cur
@@ -2341,7 +2328,6 @@ decode_peer_id(struct msg_digest *md, struct id *peer)
      * Besides, there is no good reason for allowing these to be
      * other than 0 in Phase 1.
      */
-#ifdef NAT_TRAVERSAL
     if ((st->nat_traversal & NAT_T_WITH_PORT_FLOATING)
     &&  id->isaid_doi_specific_a == IPPROTO_UDP
     &&  (id->isaid_doi_specific_b == 0 || id->isaid_doi_specific_b == NAT_T_IKE_FLOAT_PORT))
@@ -2350,10 +2336,8 @@ decode_peer_id(struct msg_digest *md, struct id *peer)
                "accepted with port_floating NAT-T",
                id->isaid_doi_specific_a, id->isaid_doi_specific_b);
     }
-    else
-#endif
-    if (!(id->isaid_doi_specific_a == 0 && id->isaid_doi_specific_b == 0)
-    &&  !(id->isaid_doi_specific_a == IPPROTO_UDP && id->isaid_doi_specific_b == IKE_UDP_PORT))
+    else if (!(id->isaid_doi_specific_a == 0 && id->isaid_doi_specific_b == 0)
+        &&  !(id->isaid_doi_specific_a == IPPROTO_UDP && id->isaid_doi_specific_b == IKE_UDP_PORT))
     {
        loglog(RC_LOG_SERIOUS, "protocol/port in Phase 1 ID Payload must be 0/0 or %d/%d"
            " but are %d/%d"
@@ -2527,14 +2511,8 @@ switch_connection(struct msg_digest *md, struct id *peer, bool initiator)
            if (r->kind == CK_TEMPLATE)
            {
                /* instantiate it, filling in peer's ID */
-               r = rw_instantiate(r, &c->spd.that.host_addr,
-#ifdef NAT_TRAVERSAL
-                       c->spd.that.host_port,
-#endif
-#ifdef VIRTUAL_IP
-                       NULL,
-#endif
-                       peer);
+               r = rw_instantiate(r, &c->spd.that.host_addr
+                       , c->spd.that.host_port, NULL, peer);
            }
 
            /* copy certificate request info */
@@ -2984,13 +2962,11 @@ main_inI1_outR1(struct msg_digest *md)
     RETURN_STF_FAILURE(preparse_isakmp_sa_body(&sa_pd->payload.sa
        , &sa_pd->pbs, &ipsecdoisit, &proposal_pbs, &proposal));
 
-#ifdef NAT_TRAVERSAL
     if (c == NULL && md->iface->ike_float)
     {
        c = find_host_connection(&md->iface->addr, NAT_T_IKE_FLOAT_PORT
                , &md->sender, md->sender_port, LEMPTY);
     }
-#endif
 
     if (c == NULL)
     {
@@ -3061,14 +3037,7 @@ main_inI1_outR1(struct msg_digest *md)
            /* Create a temporary connection that is a copy of this one.
             * His ID isn't declared yet.
             */
-           c = rw_instantiate(c, &md->sender,
-#ifdef NAT_TRAVERSAL
-                       md->sender_port,
-#endif
-#ifdef VIRTUAL_IP
-                       NULL,
-#endif
-                       NULL);
+           c = rw_instantiate(c, &md->sender, md->sender_port, NULL, NULL);
        }
     }
 
@@ -3115,10 +3084,8 @@ main_inI1_outR1(struct msg_digest *md)
        vids_to_send++;
     /* always send DPD Vendor ID */
        vids_to_send++;
-#ifdef NAT_TRAVERSAL
     if (md->nat_traversal_vid && nat_traversal_enabled)
        vids_to_send++;
-#endif
 
     /* HDR out.
      * We can't leave this to comm_handle() because we must
@@ -3189,11 +3156,6 @@ main_inI1_outR1(struct msg_digest *md)
        }
     }
 
-#ifdef NAT_TRAVERSAL
-    DBG(DBG_CONTROLMORE,
-       DBG_log("sender checking NAT-t: %d and %d"
-               , nat_traversal_enabled, md->nat_traversal_vid)
-    )
     if (md->nat_traversal_vid && nat_traversal_enabled)
     {
        /* reply if NAT-Traversal draft is supported */
@@ -3206,7 +3168,6 @@ main_inI1_outR1(struct msg_digest *md)
            return STF_INTERNAL_ERROR;
        }
     }
-#endif
 
     close_message(&md->rbody);
 
@@ -3252,11 +3213,6 @@ main_inR1_outI2(struct msg_digest *md)
            , &proposal_pbs, &proposal, NULL, st));
     }
 
-#ifdef NAT_TRAVERSAL
-    DBG(DBG_CONTROLMORE,
-       DBG_log("sender checking NAT-t: %d and %d"
-               , nat_traversal_enabled, md->nat_traversal_vid)
-    )
     if (nat_traversal_enabled && md->nat_traversal_vid)
     {
        st->nat_traversal = nat_traversal_vid_to_method(md->nat_traversal_vid);
@@ -3268,7 +3224,6 @@ main_inR1_outI2(struct msg_digest *md)
        np = (st->nat_traversal & NAT_T_WITH_RFC_VALUES) ?
                ISAKMP_NEXT_NATD_RFC : ISAKMP_NEXT_NATD_DRAFTS;
     }
- #endif
 
     /**************** build output packet HDR;KE;Ni ****************/
 
@@ -3306,13 +3261,11 @@ main_inR1_outI2(struct msg_digest *md)
        return STF_INTERNAL_ERROR;
 #endif
 
-#ifdef NAT_TRAVERSAL
     if (st->nat_traversal & NAT_T_WITH_NATD)
     {
        if (!nat_traversal_add_natd(ISAKMP_NEXT_NONE, &md->rbody, md))
            return STF_INTERNAL_ERROR;
     }
-#endif
 
     /* finish message */
     close_message(&md->rbody);
@@ -3353,11 +3306,6 @@ main_inI2_outR2(struct msg_digest *md)
     /* Ni in */
     RETURN_STF_FAILURE(accept_nonce(md, &st->st_ni, "Ni"));
 
-#ifdef NAT_TRAVERSAL
-    DBG(DBG_CONTROLMORE,
-       DBG_log("inI2: checking NAT-t: %d and %d"
-               , nat_traversal_enabled, st->nat_traversal)
-    )
     if (st->nat_traversal & NAT_T_WITH_NATD)
     {
        nat_traversal_natd_lookup(md);
@@ -3373,7 +3321,6 @@ main_inI2_outR2(struct msg_digest *md)
     {
        nat_traversal_new_ka_event();
     }
-#endif
 
     /* decode certificate requests */
     st->st_connection->got_certrequest = FALSE;
@@ -3449,14 +3396,12 @@ main_inI2_outR2(struct msg_digest *md)
            }
        }
     }
-    
-#ifdef NAT_TRAVERSAL
+
     if (st->nat_traversal & NAT_T_WITH_NATD)
     {
        if (!nat_traversal_add_natd(ISAKMP_NEXT_NONE, &md->rbody, md))
           return STF_INTERNAL_ERROR;
     }
-#endif
 
     /* finish message */
     close_message(&md->rbody);
@@ -3529,17 +3474,18 @@ main_inR2_outI3(struct msg_digest *md)
     if (!generate_skeyids_iv(st))
        return STF_FAIL + AUTHENTICATION_FAILED;
 
-#ifdef NAT_TRAVERSAL
-       if (st->nat_traversal & NAT_T_WITH_NATD) {
+       if (st->nat_traversal & NAT_T_WITH_NATD)
+       {
            nat_traversal_natd_lookup(md);
        }
-       if (st->nat_traversal) {
+       if (st->nat_traversal)
+       {
            nat_traversal_show_result(st->nat_traversal, md->sender_port);
        }
-       if (st->nat_traversal & NAT_T_WITH_KA) {
+       if (st->nat_traversal & NAT_T_WITH_KA)
+       {
            nat_traversal_new_ka_event();
        }
-#endif
 
     /*************** build output packet HDR*;IDii;HASH/SIG_I ***************/
     /* ??? NOTE: this is almost the same as main_inI3_outR3's code */
@@ -4772,14 +4718,8 @@ quick_inI1_outR1_tail(struct verify_oppo_bundle *b
                    /* Plain Road Warrior:
                     * instantiate, carrying over authenticated peer ID
                     */
-                   p = rw_instantiate(p, &c->spd.that.host_addr,
-#ifdef NAT_TRAVERSAL
-                               md->sender_port,
-#endif
-#ifdef VIRTUAL_IP
-                               his_net, 
-#endif
-                               &c->spd.that.id);
+                   p = rw_instantiate(p, &c->spd.that.host_addr, md->sender_port
+                               , his_net, &c->spd.that.id);
                }
            }
 #ifdef DEBUG
@@ -4802,8 +4742,6 @@ quick_inI1_outR1_tail(struct verify_oppo_bundle *b
            p->spd.that.client = *his_net;
            p->spd.that.has_client_wildcard = FALSE;
        }
-
-#ifdef VIRTUAL_IP
        else if (is_virtual_connection(c))
        {
            c->spd.that.client = *his_net;
@@ -4811,7 +4749,6 @@ quick_inI1_outR1_tail(struct verify_oppo_bundle *b
            if (subnetishost(his_net) && addrinsubnet(&c->spd.that.host_addr, his_net))
                c->spd.that.has_client = FALSE;
        }
-#endif
 
        /* fill in the client's true port */
        if (p->spd.that.has_port_wildcard)
@@ -4870,7 +4807,6 @@ quick_inI1_outR1_tail(struct verify_oppo_bundle *b
        st->st_policy = (p1st->st_policy & POLICY_ISAKMP_MASK)
            | (c->policy & ~POLICY_ISAKMP_MASK);
 
-#ifdef NAT_TRAVERSAL
        if (p1st->nat_traversal & NAT_T_DETECTED)
        {
            st->nat_traversal = p1st->nat_traversal;
@@ -4880,12 +4816,11 @@ quick_inI1_outR1_tail(struct verify_oppo_bundle *b
        {
            st->nat_traversal = 0;
        }
-       if ((st->nat_traversal & NAT_T_DETECTED) &&
-           (st->nat_traversal & NAT_T_WITH_NATOA))
+       if ((st->nat_traversal & NAT_T_DETECTED)
+       &&  (st->nat_traversal & NAT_T_WITH_NATOA))
        {
            nat_traversal_natoa_lookup(md);
        }
-#endif
 
        /* Start the output packet.
         *
@@ -4973,7 +4908,6 @@ quick_inI1_outR1_tail(struct verify_oppo_bundle *b
            p->isaiid_np = ISAKMP_NEXT_NONE;
        }
 
-#ifdef NAT_TRAVERSAL
        if ((st->nat_traversal & NAT_T_WITH_NATOA)
        && (st->nat_traversal & LELEM(NAT_TRAVERSAL_NAT_BHND_ME))
        && (st->st_esp.attrs.encapsulation == ENCAPSULATION_MODE_TRANSPORT))
@@ -4992,7 +4926,6 @@ quick_inI1_outR1_tail(struct verify_oppo_bundle *b
            addrtosubnet(&c->spd.that.host_addr, &c->spd.that.client);
            c->spd.that.has_client = FALSE;
        }
-#endif
 
        /* Compute reply HASH(2) and insert in output */
        (void)quick_mode_hash12(r_hashval, r_hash_start, md->rbody.cur
@@ -5132,13 +5065,11 @@ quick_inR1_outI2(struct msg_digest *md)
        }
     }
 
-#ifdef NAT_TRAVERSAL
        if ((st->nat_traversal & NAT_T_DETECTED)
        &&  (st->nat_traversal & NAT_T_WITH_NATOA))
        {
            nat_traversal_natoa_lookup(md);
        }
-#endif
 
     /* ??? We used to copy the accepted proposal into the state, but it was
      * never used.  From sa_pd->pbs.start, length pbs_room(&sa_pd->pbs).
index bee185c..663fa72 100644 (file)
 #include "server.h"
 #include "whack.h"     /* for RC_LOG_SERIOUS */
 #include "keys.h"
-
-#ifdef NAT_TRAVERSAL
-#include "packet.h"  /* for pb_stream in nat_traversal.h */
 #include "nat_traversal.h"
-#endif
-
 #include "alg_info.h"
 #include "kernel_alg.h"
 
@@ -686,9 +681,7 @@ could_route(struct connection *c)
 
     /* if routing would affect IKE messages, reject */
     if (!no_klips
-#ifdef NAT_TRAVERSAL
     && c->spd.this.host_port != NAT_T_IKE_FLOAT_PORT
-#endif
     && c->spd.this.host_port != IKE_UDP_PORT
     && addrinsubnet(&c->spd.that.host_addr, &c->spd.that.client))
     {
@@ -1860,19 +1853,19 @@ setup_half_ipsec_sa(struct state *st, bool inbound)
                SADB_EALG_3DES_CBC, SADB_AALG_SHA1_HMAC },
        };
 
-#ifdef NAT_TRAVERSAL
        u_int8_t natt_type = 0;
-       u_int16_t natt_sport = 0, natt_dport = 0;
+       u_int16_t natt_sport = 0;
+       u_int16_t natt_dport = 0;
        ip_address natt_oa;
 
-       if (st->nat_traversal & NAT_T_DETECTED) {
+       if (st->nat_traversal & NAT_T_DETECTED)
+       {
            natt_type = (st->nat_traversal & NAT_T_WITH_PORT_FLOATING) ?
                ESPINUDP_WITH_NON_ESP : ESPINUDP_WITH_NON_IKE;
            natt_sport = inbound? c->spd.that.host_port : c->spd.this.host_port;
            natt_dport = inbound? c->spd.this.host_port : c->spd.that.host_port;
            natt_oa = st->nat_oa;
        }
-#endif
 
        for (ei = esp_info; ; ei++)
        {
@@ -1903,34 +1896,38 @@ setup_half_ipsec_sa(struct state *st, bool inbound)
        }
 
        key_len = st->st_esp.attrs.key_len/8;
-       if (key_len) {
-               /* XXX: must change to check valid _range_ key_len */
-               if (key_len > ei->enckeylen) {
-                       loglog(RC_LOG_SERIOUS, "ESP transform %s passed key_len=%d > %d",
-                       enum_name(&esp_transformid_names, st->st_esp.attrs.transid),
-                       (int)key_len, (int)ei->enckeylen);
-                       goto fail;
-               }
-       } else {
-               key_len = ei->enckeylen;
+       if (key_len)
+       {
+           /* XXX: must change to check valid _range_ key_len */
+           if (key_len > ei->enckeylen)
+           {
+               loglog(RC_LOG_SERIOUS, "ESP transform %s passed key_len=%d > %d",
+                   enum_name(&esp_transformid_names, st->st_esp.attrs.transid),
+                   (int)key_len, (int)ei->enckeylen);
+               goto fail;
+           }
+       }
+       else
+       {
+           key_len = ei->enckeylen;
        }
        /* Grrrrr.... f*cking 7 bits jurassic algos  */
 
        /* 168 bits in kernel, need 192 bits for keymat_len */
        if (ei->transid == ESP_3DES && key_len == 21) 
-               key_len = 24;
+           key_len = 24;
 
        /* 56 bits in kernel, need 64 bits for keymat_len */
        if (ei->transid == ESP_DES && key_len == 7) 
-               key_len = 8;
+           key_len = 8;
 
        /* divide up keying material */
        /* passert(st->st_esp.keymat_len == ei->enckeylen + ei->authkeylen); */
        DBG(DBG_KLIPS|DBG_CONTROL|DBG_PARSING, 
-               if(st->st_esp.keymat_len != key_len + ei->authkeylen)
-                       DBG_log("keymat_len=%d key_len=%d authkeylen=%d",
-                               st->st_esp.keymat_len, (int)key_len, (int)ei->authkeylen);
-       );
+           if(st->st_esp.keymat_len != key_len + ei->authkeylen)
+               DBG_log("keymat_len=%d key_len=%d authkeylen=%d",
+                       st->st_esp.keymat_len, (int)key_len, (int)ei->authkeylen);
+       )
        passert(st->st_esp.keymat_len == key_len + ei->authkeylen);
 
        set_text_said(text_said, &dst.addr, esp_spi, SA_ESP);
@@ -1952,13 +1949,11 @@ setup_half_ipsec_sa(struct state *st, bool inbound)
        said_next->enckey = esp_dst_keymat;
        said_next->encapsulation = encapsulation;
        said_next->reqid = c->spd.reqid + 1;
-#ifdef NAT_TRAVERSAL
        said_next->natt_sport = natt_sport;
        said_next->natt_dport = natt_dport;
        said_next->transid = st->st_esp.attrs.transid;
        said_next->natt_type = natt_type;
        said_next->natt_oa = &natt_oa;
-#endif 
        said_next->text_said = text_said;
 
        if (!kernel_ops->add_sa(said_next, replace))
@@ -2826,68 +2821,69 @@ delete_ipsec_sa(struct state *st USED_BY_KLIPS, bool inbound_only USED_BY_KLIPS)
     DBG(DBG_CONTROL, DBG_log("if I knew how, I'd eroute() and teardown_ipsec_sa()"));
 #endif /* !KLIPS */
 }
-#ifdef NAT_TRAVERSAL
+
 #ifdef KLIPS
 static bool update_nat_t_ipsec_esp_sa (struct state *st, bool inbound)
 {
-       struct connection *c = st->st_connection;
-       char text_said[SATOT_BUF];
-       struct kernel_sa sa;    
-       ip_address
-               src = inbound? c->spd.that.host_addr : c->spd.this.host_addr,
-               dst = inbound? c->spd.this.host_addr : c->spd.that.host_addr;
-               
+    struct connection *c = st->st_connection;
+    char text_said[SATOT_BUF];
+    struct kernel_sa sa;       
+    ip_address
+       src = inbound? c->spd.that.host_addr : c->spd.this.host_addr,
+       dst = inbound? c->spd.this.host_addr : c->spd.that.host_addr;
 
-       ipsec_spi_t esp_spi = inbound? st->st_esp.our_spi : st->st_esp.attrs.spi;
+    ipsec_spi_t esp_spi = inbound? st->st_esp.our_spi : st->st_esp.attrs.spi;
 
-       u_int16_t
-               natt_sport = inbound? c->spd.that.host_port : c->spd.this.host_port,
-               natt_dport = inbound? c->spd.this.host_port : c->spd.that.host_port;
-
-       set_text_said(text_said, &dst, esp_spi, SA_ESP);
-               
-       memset(&sa, 0, sizeof(sa));
-       sa.spi = esp_spi;
-       sa.src = &src;
-       sa.dst = &dst;
-       sa.text_said = text_said;
-       sa.authalg = alg_info_esp_aa2sadb(st->st_esp.attrs.auth);
-       sa.natt_sport = natt_sport;
-       sa.natt_dport = natt_dport;
-       sa.transid = st->st_esp.attrs.transid;
-       
-        return kernel_ops->add_sa(&sa, TRUE);
+    u_int16_t
+       natt_sport = inbound? c->spd.that.host_port : c->spd.this.host_port,
+       natt_dport = inbound? c->spd.this.host_port : c->spd.that.host_port;
+
+    set_text_said(text_said, &dst, esp_spi, SA_ESP);
 
+    memset(&sa, 0, sizeof(sa));
+    sa.spi = esp_spi;
+    sa.src = &src;
+    sa.dst = &dst;
+    sa.text_said = text_said;
+    sa.authalg = alg_info_esp_aa2sadb(st->st_esp.attrs.auth);
+    sa.natt_sport = natt_sport;
+    sa.natt_dport = natt_dport;
+    sa.transid = st->st_esp.attrs.transid;
+
+    return kernel_ops->add_sa(&sa, TRUE);
 }
 #endif
 
 bool update_ipsec_sa (struct state *st USED_BY_KLIPS)
 {
 #ifdef KLIPS
-       if (IS_IPSEC_SA_ESTABLISHED(st->st_state)) {
-               if ((st->st_esp.present) && (
-                       (!update_nat_t_ipsec_esp_sa (st, TRUE)) ||
-                       (!update_nat_t_ipsec_esp_sa (st, FALSE)))) {
-                       return FALSE;
-               }
-       }
-       else if (IS_ONLY_INBOUND_IPSEC_SA_ESTABLISHED(st->st_state)) {
-               if ((st->st_esp.present) && (!update_nat_t_ipsec_esp_sa (st, FALSE))) {
-                       return FALSE;
-               }
+    if (IS_IPSEC_SA_ESTABLISHED(st->st_state))
+    {
+       if (st->st_esp.present && (
+          (!update_nat_t_ipsec_esp_sa (st, TRUE)) ||
+          (!update_nat_t_ipsec_esp_sa (st, FALSE))))
+       {
+           return FALSE;
        }
-       else {
-               DBG_log("assert failed at %s:%d st_state=%d", __FILE__, __LINE__,
-                       st->st_state);
-               return FALSE;
+    }
+    else if (IS_ONLY_INBOUND_IPSEC_SA_ESTABLISHED(st->st_state))
+    {
+       if (st->st_esp.present && !update_nat_t_ipsec_esp_sa (st, FALSE))
+       {
+           return FALSE;
        }
-       return TRUE;
+    }
+    else
+    {
+       DBG_log("assert failed at %s:%d st_state=%d", __FILE__, __LINE__, st->st_state);
+       return FALSE;
+    }
+    return TRUE;
 #else /* !KLIPS */
     DBG(DBG_CONTROL, DBG_log("if I knew how, I'd update_ipsec_sa()"));
     return TRUE;
 #endif /* !KLIPS */
 }
-#endif
 
 /* Check if there was traffic on given SA during the last idle_max
  * seconds. If TRUE, the SA was idle and DPD exchange should be performed.
index c01ff31..e7ff08c 100644 (file)
@@ -69,11 +69,11 @@ struct kernel_sa {
        unsigned compalg;
 
        int encapsulation;
-#ifdef NAT_TRAVERSAL
+
        u_int16_t natt_sport, natt_dport;
        u_int8_t transid, natt_type;
        ip_address *natt_oa;
-#endif
+
        const char *text_said;
 };
 
@@ -195,6 +195,4 @@ extern bool was_eroute_idle(struct state *st, time_t idle_max
 extern bool get_sa_info(struct state *st, bool inbound, u_int *bytes
     , time_t *use_time);
 
-#ifdef NAT_TRAVERSAL
 extern bool update_ipsec_sa(struct state *st);
-#endif
index fd43c46..1947ddb 100644 (file)
@@ -677,7 +677,6 @@ netlink_add_sa(const struct kernel_sa *sa, bool replace)
        attr = (struct rtattr *)((char *)attr + attr->rta_len);
     }
 
-#ifdef NAT_TRAVERSAL
     if (sa->natt_type)
     {
        struct xfrm_encap_tmpl natt;
@@ -695,7 +694,6 @@ netlink_add_sa(const struct kernel_sa *sa, bool replace)
        req.n.nlmsg_len += attr->rta_len;
        attr = (struct rtattr *)((char *)attr + attr->rta_len);
     }
-#endif
 
     return send_netlink_msg(&req.n, NULL, 0, "Add SA", sa->text_said);
 }
index 76bfbaf..ced7a14 100644 (file)
 #include "kernel_pfkey.h"
 #include "log.h"
 #include "whack.h"     /* for RC_LOG_SERIOUS */
-#ifdef NAT_TRAVERSAL
 #include "demux.h"
 #include "nat_traversal.h"
-#endif
-
 #include "alg_info.h"
 #include "kernel_alg.h"
 
@@ -77,9 +74,7 @@ static sparse_names pfkey_type_names = {
        NE(SADB_X_ADDFLOW),
        NE(SADB_X_DELFLOW),
        NE(SADB_X_DEBUG),
-#ifdef NAT_TRAVERSAL
        NE(SADB_X_NAT_T_NEW_MAPPING),
-#endif
        NE(SADB_MAX),   
        { 0, sparse_end }
 };
@@ -250,10 +245,7 @@ pfkey_get(pfkey_buf *buf)
        else if (!(buf->msg.sadb_msg_pid == (unsigned)pid
        || (buf->msg.sadb_msg_pid == 0 && buf->msg.sadb_msg_type == SADB_ACQUIRE)
        || (buf->msg.sadb_msg_type == SADB_REGISTER)
-#ifdef NAT_TRAVERSAL
-       || (buf->msg.sadb_msg_pid == 0 && buf->msg.sadb_msg_type == SADB_X_NAT_T_NEW_MAPPING)
-#endif
-       ))
+       || (buf->msg.sadb_msg_pid == 0 && buf->msg.sadb_msg_type == SADB_X_NAT_T_NEW_MAPPING)))
        {
            /* not for us: ignore */
            DBG(DBG_KLIPS,
@@ -435,11 +427,9 @@ pfkey_async(pfkey_buf *buf)
            /* to simulate loss of ACQUIRE, delete this call */
            process_pfkey_acquire(buf, extensions);
            break;
-#ifdef NAT_TRAVERSAL
        case SADB_X_NAT_T_NEW_MAPPING:
            process_pfkey_nat_t_new_mapping(&(buf->msg), extensions);
            break;
-#endif
        default:
            /* ignored */
            break;
@@ -821,8 +811,7 @@ pfkey_add_sa(const struct kernel_sa *sa, bool replace)
                , SADB_EXT_KEY_ENCRYPT, sa->enckeylen * BITS_PER_BYTE
                , sa->enckey)
            , "pfkey_key_e Add SA", sa->text_said, extensions))
-        
-#ifdef NAT_TRAVERSAL
+
     && (sa->natt_type == 0
        || pfkey_build(pfkey_x_nat_t_type_build(
                &extensions[SADB_X_EXT_NAT_T_TYPE], sa->natt_type),
@@ -840,10 +829,9 @@ pfkey_add_sa(const struct kernel_sa *sa, bool replace)
     && (sa->natt_type == 0 || isanyaddr(sa->natt_oa)
        || pfkeyext_address(SADB_X_EXT_NAT_T_OA, sa->natt_oa
            , "pfkey_nat_t_oa Add ESP SA", sa->text_said, extensions))
-#endif
 
     && finish_pfkey_msg(extensions, "Add SA", sa->text_said, NULL);
-    
+
 }
 
 static bool
index faa3ae3..106573f 100644 (file)
 #include "timer.h"
 #include "fetch.h"
 
-#ifdef NAT_TRAVERSAL
-#define PB_STREAM_UNDEFINED
-#include "nat_traversal.h"
-#endif
-
 const char *shared_secrets_file = SHARED_SECRETS_FILE;
 
 typedef struct id_list id_list_t;
@@ -185,19 +180,16 @@ get_secret(const struct connection *c, enum PrivateKeyKind kind, bool asym)
        happy(anyaddr(addrtypeof(&c->spd.that.host_addr), &rw_id.ip_addr));
        his_id = &rw_id;
     }
-#ifdef NAT_TRAVERSAL
-    else if (nat_traversal_enabled
+    else if (kind == PPK_PSK
     && (c->policy & POLICY_PSK)
-    && kind == PPK_PSK
     && ((c->kind == CK_TEMPLATE && c->spd.that.id.kind == ID_NONE) ||
         (c->kind == CK_INSTANCE && id_is_ipaddr(&c->spd.that.id))))
     {
-           /* roadwarrior: replace him with 0.0.0.0 */
-           rw_id.kind = ID_IPV4_ADDR;
-           happy(anyaddr(addrtypeof(&c->spd.that.host_addr), &rw_id.ip_addr));
-           his_id = &rw_id;
+       /* roadwarrior: replace him with 0.0.0.0 */
+       rw_id.kind = ID_IPV4_ADDR;
+       happy(anyaddr(addrtypeof(&c->spd.that.host_addr), &rw_id.ip_addr));
+       his_id = &rw_id;
     }
-#endif
 
     for (s = secrets; s != NULL; s = s->next)
     {
index c95ec63..ea75e26 100644 (file)
@@ -14,8 +14,6 @@
  * RCSID $Id: nat_traversal.c,v 1.8 2005/01/06 22:36:58 as Exp $
  */
 
-#ifdef NAT_TRAVERSAL
-
 #include <stdio.h>
 #include <stdlib.h>
 #include <ctype.h>
@@ -31,6 +29,7 @@
 #include <ipsec_policy.h>
 #include <pfkeyv2.h>
 #include <pfkey.h>
+
 #include "constants.h"
 #include "defs.h"
 #include "log.h"
@@ -42,8 +41,6 @@
 #include "kernel.h"
 #include "whack.h"
 #include "timer.h"
-
-
 #include "cookie.h"
 #include "sha1.h"
 #include "md5.h"
@@ -580,7 +577,7 @@ static void nat_traversal_send_ka (struct state *st)
 
     /* send keep alive */
     setchunk(st->st_tpacket, &ka_payload, 1);
-    _send_packet(st, "NAT-T Keep Alive", FALSE);
+    send_packet(st, "NAT-T Keep Alive");
 
     /* restore state chunk */
     setchunk(st->st_tpacket, sav.ptr, sav.len);
@@ -865,5 +862,3 @@ void process_pfkey_nat_t_new_mapping(
        plog("SADB_X_NAT_T_NEW_MAPPING message from KLIPS malformed: %s", ugh);
 }
 
-#endif
-
index f9badba..5d6e7aa 100644 (file)
 #include "ocsp.h"
 #include "crl.h"
 #include "fetch.h"
-
 #include "sha1.h"
 #include "md5.h"
 #include "crypto.h"    /* requires sha1.h and md5.h */
-
-#ifdef VIRTUAL_IP
-#include "virtual.h"
-#endif
-
-#ifdef NAT_TRAVERSAL
 #include "nat_traversal.h"
-#endif
+#include "virtual.h"
 
 static void
 usage(const char *mess)
@@ -123,17 +116,13 @@ usage(const char *mess)
            " [--debug-controlmore]"
            " [--debug-private]"
 #endif
-#ifdef NAT_TRAVERSAL
            " [ --debug-natt]"
            " \\\n\t"
            "[--nat_traversal] [--keep_alive <delay_sec>]"
            " \\\n\t"
            "[--force_keepalive] [--disable_port_floating]"
-#endif
-#ifdef VIRTUAL_IP
           " \\\n\t"
           "[--virtual_private <network_list>]"
-#endif
            "\n"
        "strongSwan %s\n"
        , ipsec_version_code());
@@ -225,15 +214,11 @@ main(int argc, char **argv)
 {
     bool fork_desired = TRUE;
     bool log_to_stderr_desired = FALSE;
-#ifdef NAT_TRAVERSAL
     bool nat_traversal = FALSE;
     bool nat_t_spf = TRUE;  /* support port floating */
     unsigned int keep_alive = 0;
     bool force_keepalive = FALSE;
-#endif
-#ifdef VIRTUAL_IP
     char *virtual_private = NULL;
-#endif
     int lockfd;
 
     /* handle arguments */
@@ -269,20 +254,15 @@ main(int argc, char **argv)
            { "pkcs11module", required_argument, NULL, 'm' },
            { "pkcs11keepstate", no_argument, NULL, 'k' },
            { "pkcs11proxy", no_argument, NULL, 'y' },
-#ifdef NAT_TRAVERSAL
            { "nat_traversal", no_argument, NULL, '1' },
            { "keep_alive", required_argument, NULL, '2' },
            { "force_keepalive", no_argument, NULL, '3' },
            { "disable_port_floating", no_argument, NULL, '4' },
            { "debug-natt", no_argument, NULL, '5' },
-#endif
-#ifdef VIRTUAL_IP
            { "virtual_private", required_argument, NULL, '6' },
-#endif
 #ifdef DEBUG
            { "debug-none", no_argument, NULL, 'N' },
            { "debug-all", no_argument, NULL, 'A' },
-
            { "debug-raw", no_argument, NULL, DBG_RAW + DBG_OFFSET },
            { "debug-crypt", no_argument, NULL, DBG_CRYPT + DBG_OFFSET },
            { "debug-parsing", no_argument, NULL, DBG_PARSING + DBG_OFFSET },
@@ -460,7 +440,6 @@ main(int argc, char **argv)
            log_to_perpeer = TRUE;
            continue;
 
-#ifdef NAT_TRAVERSAL
        case '1':       /* --nat_traversal */
            nat_traversal = TRUE;
            continue;
@@ -476,12 +455,9 @@ main(int argc, char **argv)
        case '5':       /* --debug-nat_t */
            base_debugging |= DBG_NATT;
            continue;
-#endif
-#ifdef VIRTUAL_IP
        case '6':       /* --virtual_private */
            virtual_private = optarg;
            continue;
-#endif
 
        default:
 #ifdef DEBUG
@@ -620,13 +596,8 @@ main(int argc, char **argv)
        , ipsec_version_code()
        , compile_time_interop_options);
 
-#ifdef NAT_TRAVERSAL
     init_nat_traversal(nat_traversal, keep_alive, force_keepalive, nat_t_spf);
-#endif
-
-#ifdef VIRTUAL_IP
     init_virtual_ip(virtual_private);
-#endif
     scx_init(pkcs11_module_path);   /* load and initialize PKCS #11 module */
     init_rnd_pool();
     init_secret();
index 4bc8bca..6a39e7c 100644 (file)
@@ -321,28 +321,24 @@ whack_handle(int whackctlfd)
        || !unpack_str(&msg.left.ca)            /* string  4 */
        || !unpack_str(&msg.left.groups)        /* string  5 */
        || !unpack_str(&msg.left.updown)        /* string  6 */
-#ifdef VIRTUAL_IP
-       || !unpack_str(&msg.left.virt)
-#endif
-       || !unpack_str(&msg.right.id)           /* string  7 */
-       || !unpack_str(&msg.right.cert)         /* string  8 */
-       || !unpack_str(&msg.right.ca)           /* string  9 */
-       || !unpack_str(&msg.right.groups)       /* string 10 */
-       || !unpack_str(&msg.right.updown)       /* string 11 */
-#ifdef VIRTUAL_IP
-       || !unpack_str(&msg.right.virt)
-#endif
-       || !unpack_str(&msg.keyid)              /* string 12 */
-       || !unpack_str(&msg.myid)               /* string 13 */
-       || !unpack_str(&msg.cacert)             /* string 14 */
-       || !unpack_str(&msg.ldaphost)           /* string 15 */
-       || !unpack_str(&msg.ldapbase)           /* string 16 */
-       || !unpack_str(&msg.crluri)             /* string 17 */
-       || !unpack_str(&msg.crluri2)            /* string 18 */
-       || !unpack_str(&msg.ocspuri)            /* string 19 */
-       || !unpack_str(&msg.ike)                /* string 20 */
-       || !unpack_str(&msg.esp)                /* string 21 */
-       || !unpack_str(&msg.sc_data)            /* string 22 */
+       || !unpack_str(&msg.left.virt)          /* string  7 */
+       || !unpack_str(&msg.right.id)           /* string  8 */
+       || !unpack_str(&msg.right.cert)         /* string  9 */
+       || !unpack_str(&msg.right.ca)           /* string 10 */
+       || !unpack_str(&msg.right.groups)       /* string 11 */
+       || !unpack_str(&msg.right.updown)       /* string 12 */
+       || !unpack_str(&msg.right.virt)         /* string 13 */
+       || !unpack_str(&msg.keyid)              /* string 14 */
+       || !unpack_str(&msg.myid)               /* string 15 */
+       || !unpack_str(&msg.cacert)             /* string 16 */
+       || !unpack_str(&msg.ldaphost)           /* string 17 */
+       || !unpack_str(&msg.ldapbase)           /* string 18 */
+       || !unpack_str(&msg.crluri)             /* string 19 */
+       || !unpack_str(&msg.crluri2)            /* string 20 */
+       || !unpack_str(&msg.ocspuri)            /* string 21 */
+       || !unpack_str(&msg.ike)                /* string 22 */
+       || !unpack_str(&msg.esp)                /* string 23 */
+       || !unpack_str(&msg.sc_data)            /* string 24 */
        || str_roof - next_str != (ptrdiff_t)msg.keyval.len)    /* check chunk */
        {
            ugh = "message from whack contains bad string";
index 2defbc0..9cd3e07 100644 (file)
 #include <pfkeyv2.h>
 #include <pfkey.h>
 #include "kameipsec.h"
-
-#ifdef NAT_TRAVERSAL
 #include "nat_traversal.h"
-#endif
 
 /*
  *  Server main loop and socket initialization routines.
@@ -702,13 +699,11 @@ add_entry:
                    if (fd < 0)
                        break;
 
-#ifdef NAT_TRAVERSAL
                    if (nat_traversal_support_non_ike
                    && addrtypeof(&ifp->addr) == AF_INET)
                    {
                        nat_traversal_espinudp_socket(fd, ESPINUDP_WITH_NON_IKE);
                    }
-#endif
 
                    q = alloc_thing(struct iface, "struct iface");
                    q->rname = clone_str(ifp->name, "real device name");
@@ -720,7 +715,7 @@ add_entry:
                    interfaces = q;
                    plog("adding interface %s/%s %s:%d"
                        , q->vname, q->rname, ip_str(&q->addr), pluto_port);
-#ifdef NAT_TRAVERSAL
+
                    if (nat_traversal_support_port_floating
                    && addrtypeof(&ifp->addr) == AF_INET)
                    {
@@ -742,7 +737,6 @@ add_entry:
                        plog("adding interface %s/%s %s:%d",
                        q->vname, q->rname, ip_str(&q->addr), NAT_T_IKE_FLOAT_PORT);
                    }
-#endif
                    break;
                }
 
@@ -753,16 +747,17 @@ add_entry:
                {
                    /* matches -- rejuvinate old entry */
                    q->change = IFN_KEEP;
-#ifdef NAT_TRAVERSAL
+
                    /* look for other interfaces to keep (due to NAT-T) */
-                   for (q = q->next ; q ; q = q->next) {
+                   for (q = q->next ; q ; q = q->next)
+                   {
                        if (streq(q->rname, ifp->name)
-                           && streq(q->vname, v->name)
-                           && sameaddr(&q->addr, &ifp->addr)) {
-                               q->change = IFN_KEEP;
+                       && streq(q->vname, v->name)
+                       && sameaddr(&q->addr, &ifp->addr))
+                       {
+                           q->change = IFN_KEEP;
                        }
                    }
-#endif
                    break;
                }
 
index aa14d5a..d90e47c 100644 (file)
@@ -40,9 +40,7 @@ struct iface {
     ip_address addr;   /* interface IP address */
     int fd;    /* file descriptor of socket for IKE UDP messages */
     struct iface *next;
-#ifdef NAT_TRAVERSAL
     bool ike_float;
-#endif
     enum { IFN_ADD, IFN_KEEP, IFN_DELETE } change;
 };
 
index 6515ec7..6bdc82d 100644 (file)
 #include "kernel.h"
 #include "log.h"
 #include "spdb.h"
-#include "whack.h"     /* for RC_LOG_SERIOUS */
-
+#include "whack.h"
 #include "sha1.h"
 #include "md5.h"
 #include "crypto.h" /* requires sha1.h and md5.h */
-
 #include "alg_info.h"
 #include "kernel_alg.h"
 #include "ike_alg.h"
 #include "db_ops.h"
+#include "nat_traversal.h"
+
 #define AD(x) x, elemsof(x)    /* Array Description */
 #define AD_NULL NULL, 0
 
-#ifdef NAT_TRAVERSAL
-#include "nat_traversal.h"
-#endif
-
 /**************** Oakely (main mode) SA database ****************/
 
 /* arrays of attributes for transforms, preshared key */
@@ -659,7 +655,6 @@ out_sa(pb_stream *outs
                    if (p->protoid != PROTO_IPCOMP
                    || st->st_policy & POLICY_TUNNEL)
                    {
-#ifdef NAT_TRAVERSAL
 #ifndef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
                        if ((st->nat_traversal & NAT_T_DETECTED)
                        && !(st->st_policy & POLICY_TUNNEL))
@@ -672,22 +667,16 @@ out_sa(pb_stream *outs
                                "using Tunnel mode");
                        }
 #endif
-#endif
                        out_attr(ENCAPSULATION_MODE
-#ifdef NAT_TRAVERSAL
 #ifdef I_KNOW_TRANSPORT_MODE_HAS_SECURITY_CONCERN_BUT_I_WANT_IT
-                           , NAT_T_ENCAPSULATION_MODE(st,st->st_policy)
+                           , NAT_T_ENCAPSULATION_MODE(st, st->st_policy)
 #else
                                /* If NAT-T is detected, use UDP_TUNNEL as long as Transport
                                 * Mode has security concerns.
                                 *
                                 * User has been informed of that
                                 */
-                           , NAT_T_ENCAPSULATION_MODE(st,POLICY_TUNNEL)
-#endif
-#else /* ! NAT_TRAVERSAL */
-                           , st->st_policy & POLICY_TUNNEL
-                             ? ENCAPSULATION_MODE_TUNNEL : ENCAPSULATION_MODE_TRANSPORT
+                           , NAT_T_ENCAPSULATION_MODE(st, POLICY_TUNNEL)
 #endif
                            , attr_desc, attr_val_descs
                            , &trans_pbs);
@@ -1557,7 +1546,6 @@ parse_ipsec_transform(struct isakmp_transform *trans
                break;
            case ENCAPSULATION_MODE | ISAKMP_ATTR_AF_TV:
                ipcomp_inappropriate = FALSE;
-#ifdef NAT_TRAVERSAL
                switch (val)
                {
                case ENCAPSULATION_MODE_TUNNEL:
@@ -1642,9 +1630,6 @@ parse_ipsec_transform(struct isakmp_transform *trans
                            , "unknown ENCAPSULATION_MODE %d in IPSec SA", val);
                        return FALSE;
                }
-#else
-               attrs->encapsulation = val;
-#endif
                break;
            case AUTH_ALGORITHM | ISAKMP_ATTR_AF_TV:
                attrs->auth = val;
index 2f30d77..f4a0bc8 100644 (file)
@@ -201,7 +201,7 @@ struct state
     unsigned int       st_iv_len;
     unsigned int       st_new_iv_len;
     unsigned int       st_ph1_iv_len;
-    
+
     chunk_t            st_enc_key;             /* Oakley Encryption key */
 
     struct event      *st_event;               /* backpointer for certain events */
@@ -212,11 +212,9 @@ struct state
        bool vars_set;
        bool started;
     } st_modecfg;
-    
-#ifdef NAT_TRAVERSAL
+
     u_int32_t         nat_traversal;
     ip_address        nat_oa;
-#endif
 
     /* RFC 3706 Dead Peer Detection */
     bool                st_dpd;                        /* Peer supports DPD */
index 4d9ef8f..9d3f90c 100644 (file)
 #include "rnd.h"
 #include "timer.h"
 #include "whack.h"
-
-#ifdef NAT_TRAVERSAL
 #include "nat_traversal.h"
-#endif
 
 /* monotonic version of time(3) */
 time_t
@@ -427,11 +424,9 @@ handle_timer_event(void)
        case EVENT_DPD_TIMEOUT:
            dpd_timeout(st);
            break;
-#ifdef NAT_TRAVERSAL
        case EVENT_NAT_T_KEEPALIVE:
            nat_traversal_ka_event();
            break;
-#endif
        default:
            loglog(RC_LOG_SERIOUS, "INTERNAL ERROR: ignoring unknown expiring event %s"
                , enum_show(&timer_event_names, type));
index 92116d3..2a53f97 100644 (file)
 #include "whack.h"
 #include "vendor.h"
 #include "kernel.h"
-
-#ifdef NAT_TRAVERSAL
 #include "nat_traversal.h"
-#endif
 
 /**
  * Unknown/Special VID:
@@ -348,7 +345,7 @@ handle_known_vendorid (struct msg_digest *md
        md->openpgp = TRUE;
        vid_useful = TRUE;
        break;
-#ifdef NAT_TRAVERSAL
+
     /*
      * Use most recent supported NAT-Traversal method and ignore the
      * other ones (implementations will send all supported methods but
@@ -376,7 +373,7 @@ handle_known_vendorid (struct msg_digest *md
            vid_useful = TRUE;
        }
        break;
-#endif
+
     /* Remote side would like to do DPD with us on this connection */
     case VID_MISC_DPD:
        md->dpd = TRUE;
index 58487c1..d155336 100644 (file)
@@ -14,8 +14,6 @@
  * RCSID $Id: virtual.c,v 1.4 2004/04/02 10:38:52 as Exp $
  */
 
-#ifdef VIRTUAL_IP
-
 #include <freeswan.h>
 
 #include <stdlib.h>
@@ -334,5 +332,3 @@ is_virtual_net_allowed(const struct connection *c, const ip_subnet *peer_net,
     return FALSE;
 }
 
-#endif
-