Date: Wed, 17 Nov 2004 15:44:50 +0100 (CET) From: Christian Lackas <delta@lackas.net> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/74040: [maintainer-update] security/vpnc Message-ID: <200411171444.iAHEioM4079252@zel726.zel.kfa-juelich.de> Resent-Message-ID: <200411171450.iAHEoW2Y023424@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 74040 >Category: ports >Synopsis: [maintainer-update] security/vpnc >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Wed Nov 17 14:50:31 GMT 2004 >Closed-Date: >Last-Modified: >Originator: Christian Lackas >Release: FreeBSD 5.2.1-RELEASE-p11 i386 >Organization: Delta Consulting >Environment: System: FreeBSD zel726.zel.kfa-juelich.de 5.2.1-RELEASE-p11 FreeBSD 5.2.1-RELEASE-p11 #21: Fri Oct 15 13:17:34 CEST 2004 root@zel726.zel.kfa-juelich.de:/usr/obj/usr/src/sys/KERNEL.ZEL726 i386 >Description: Update to version 0.3.1 (plus a fix to unbreak ESP mode and updated man-page) CHANGELOG: # included IPSec over UDP and NAT-T support, thanks to Tomas Mraz and # Martin von Gagern # added support for interactive authentication (security tokens for # example) # fixed IOS support >How-To-Repeat: >Fix: Apply the attached patch (also available at http://www.lackas.net/freebsd/vpnc-0.3.1.diff diff -urN /usr/ports/security/vpnc/Makefile vpnc/Makefile --- /usr/ports/security/vpnc/Makefile Mon Jun 21 08:24:32 2004 +++ vpnc/Makefile Wed Nov 17 15:37:54 2004 @@ -6,12 +6,10 @@ # PORTNAME= vpnc -PORTVERSION= 0.2 -PORTREVISION= 8 +PORTVERSION= 0.3.1 CATEGORIES= security MASTER_SITES= http://www.unix-ag.uni-kl.de/~massar/vpnc/:source \ http://dragon.roe.ch/mirrors/distfiles/vpnc/:script -DISTNAME= ${PORTNAME}-${PORTVERSION}-rm+zomb.1 DISTFILES= ${DISTNAME}${EXTRACT_SUFX}:source ${STARTSCRIPT}:script EXTRACT_ONLY= ${DISTNAME}${EXTRACT_SUFX} @@ -35,7 +33,7 @@ post-patch: @${REINPLACE_CMD} -e \ - 's|%%PREFIX%%|${PREFIX}|' ${WRKSRC}/vpnc.c + 's|%%PREFIX%%|${PREFIX}|' ${WRKSRC}/config.c @${REINPLACE_CMD} -e \ 's|%%CC%%|${CC}|;s|%%CFLAGS%%|${CFLAGS}|' \ ${WRKSRC}/Makefile diff -urN /usr/ports/security/vpnc/distinfo vpnc/distinfo --- /usr/ports/security/vpnc/distinfo Fri May 14 10:04:39 2004 +++ vpnc/distinfo Wed Nov 17 15:22:19 2004 @@ -1,4 +1,4 @@ -MD5 (vpnc-0.2-rm+zomb.1.tar.gz) = ded67de747874c4245ed8405146dc94a -SIZE (vpnc-0.2-rm+zomb.1.tar.gz) = 54166 +MD5 (vpnc-0.3.1.tar.gz) = 02b814ee7bd5ff3f5a5535eff4e3387d +SIZE (vpnc-0.3.1.tar.gz) = 56007 MD5 (vpnc-wrapper-1.10) = 32c11fe4de7f0cda2fdfcc7dd2a40271 SIZE (vpnc-wrapper-1.10) = 6414 diff -urN /usr/ports/security/vpnc/files/patch-config.c vpnc/files/patch-config.c --- /usr/ports/security/vpnc/files/patch-config.c Thu Jan 1 01:00:00 1970 +++ vpnc/files/patch-config.c Wed Nov 17 15:09:10 2004 @@ -0,0 +1,13 @@ +--- config.c.dist Wed Nov 17 15:07:24 2004 ++++ config.c Wed Nov 17 15:07:33 2004 +@@ -479,8 +479,8 @@ + } + } + +- read_config_file("/etc/vpnc/default.conf", config, 1); +- read_config_file("/etc/vpnc.conf", config, 1); ++ read_config_file("%%PREFIX%%/etc/vpnc/default.conf", config, 1); ++ read_config_file("%%PREFIX%%/etc/vpnc.conf", config, 1); + + if (!print_config) { + for (i = 0; config_names[i].name != NULL; i++) diff -urN /usr/ports/security/vpnc/files/patch-tunip.c vpnc/files/patch-tunip.c --- /usr/ports/security/vpnc/files/patch-tunip.c Thu Jan 1 01:00:00 1970 +++ vpnc/files/patch-tunip.c Wed Nov 17 15:23:15 2004 @@ -0,0 +1,26 @@ +Index: tunip.c +=================================================================== +--- tunip.c (revision 35) ++++ tunip.c (working copy) +@@ -596,10 +596,6 @@ + /* Fill non-mutable fields */ + ip->ip_v = IPVERSION; + ip->ip_hl = 5; +- ip->ip_len = encap->buflen + (peer->remote_sa->md_algo? 12 :0); +-#ifdef NEED_IPLEN_FIX +- ip->ip_len = htons(ip->ip_len); +-#endif + /*gcry_md_get_algo_dlen(md_algo); see RFC .. only use 96 bit */ + ip->ip_id = htons(ip_id++); + ip->ip_p = IPPROTO_ESP; +@@ -614,6 +610,10 @@ + + encap_esp_encapsulate(encap, peer); + ++ ip->ip_len = encap->buflen; ++#ifdef NEED_IPLEN_FIX ++ ip->ip_len = htons(ip->ip_len); ++#endif + ip->ip_sum = in_cksum((u_short *) encap->buf, sizeof(struct ip)); + + sent = sendto(encap->fd, encap->buf, encap->buflen, 0, diff -urN /usr/ports/security/vpnc/files/patch-vpnc.8 vpnc/files/patch-vpnc.8 --- /usr/ports/security/vpnc/files/patch-vpnc.8 Fri May 14 10:04:39 2004 +++ vpnc/files/patch-vpnc.8 Wed Nov 17 15:22:32 2004 @@ -1,13 +1,49 @@ ---- vpnc.8.orig Fri May 14 00:27:57 2004 -+++ vpnc.8 Fri May 14 00:53:08 2004 -@@ -1,4 +1,5 @@ +--- vpnc.8.dist Wed Nov 17 15:19:42 2004 ++++ vpnc.8 Wed Nov 17 15:20:40 2004 +@@ -1,18 +1,45 @@ -.TH "VPNC" "8" "13 Mai 2004" "Debian" "vpnc" +.\" groff -man -Tascii vpnc.8 +.TH "VPNC" "8" "Mai 2004" "FreeBSD" "vpnc" .SH NAME - vpnc \- client for cisco3000 VPN Concentrator -@@ -36,10 +37,6 @@ +-vpnc \- client for Cisco VPN3000 Concentrator, IOS and PIX ++vpnc \- client for cisco3000 VPN Concentrator + .SH SYNOPSIS + +-see +-.B vpnc \-\-long\-help ++.B vpnc [ \-\-gateway ++.I <IP or hostname> ++.B ] [ \-\-id ++.I <IPSec group Id> ++.B ] [ \-\-username ++.I <user name> ++.B ] [ \-\-script ++.I <command> ++.B ] [ \-\-domain ++.I <domain name> ++.B ] [ \-\-dh ++.I <dh1/dh2/dh5> ++.B ] [ \-\-pfs ++.I <nopfs/dh1/dh2/dh5/server> ++.B ] [ \-\-enable-1des ++.B ] [ \-\-application-version ++.I <version string> ++.B ] [ \-\-ifname ++.I <interface> ++.B ] [ \-\-debug ++.I <0/1/2/3/99> ++.B ] [ \-\-no-detach ++.B ] [ \-\-pid-file ++.I <filename> ++.B ] [ \-\-local-port ++.I <0-65535> ++.B ] [ \-\-non-inter ++.B ] [ \-\-udp ++.B ] [ \-\-udp-port <0-65535> ++.B ] [ \-\-disable-natt ++.B ] ++ .SH "DESCRIPTION" .PP @@ -18,7 +54,16 @@ \fBvpnc\fR is a VPN client for the Cisco 3000 VPN Concentrator, creating a IPSec-like connection as a tunneling network device for the local system. It uses -@@ -57,26 +54,17 @@ +@@ -20,7 +47,7 @@ + on BSD. The created connection is presented as a tunneling network + device to the local system. + .PP +-The vpnc daemon by it self does not set any routes, the user (or ++The vpnc daemon by itself does not set any routes, the user (or + the connect script, see below) has to do it on its own, e.g. for a full + tunnel with IP routing under Linux. Further, the user must care about + setting a minimal route to the gateway to not cut the essential +@@ -30,26 +57,17 @@ command (see \-\-script) to configure the interface and care about the route setup. By default, only a simple ifconfig command is executed. .PP @@ -50,26 +95,20 @@ .IP "- prompting the user if not found above" .PP -@@ -104,66 +92,66 @@ - IP or host name of your IPSec gateway +@@ -73,18 +91,87 @@ + for security reasons) or be stored in a configuration file. + - .IP "\-\-id <ASCII string>" -- Your group name in <ASCII string> ++.IP "\-\-gateway <ip/hostname>" ++IP or host name of your IPSec gateway ++ ++.IP "\-\-id <ASCII string>" +Your group name in <ASCII string> - - .IP "\-\-username <ASCII string>" -- Your username ++ ++.IP "\-\-username <ASCII string>" +Your username - - .IP "\-\-script <command>" -- The <command> specified here is executed when the connection has been -- established, in order to configure the interface, routing and so on. -- Device name, IP, etc. are passed using enviroment variables, see -- README. This script is executed right after ISAKMP is done, but befor -- tunneling is enabled. Some environment variables are set and can be -- used for the detail configuration. Default command: ifconfig $TUNDEV -- inet $INTERNAL_IP4_ADDRESS pointopoint $INTERNAL_IP4_ADDRESS netmask -- 255.255.255.255 mtu 1412 up ++ ++.IP "\-\-script <command>" +The <command> specified here is executed when the connection has been +established, in order to configure the interface, routing and so on. +Device name, IP, etc. are passed using enviroment variables, see @@ -78,62 +117,67 @@ +are set and can be used for the detail configuration. Default command: ifconfig +$TUNDEV inet $INTERNAL_IP4_ADDRESS pointopoint $INTERNAL_IP4_ADDRESS netmask +255.255.255.255 mtu 1412 up. - - .IP "\-\-domain <ASCII string>" -- Domain name for authentication, sometimes needed for authentification -- against Windows NT domains. ++ ++.IP "\-\-domain <ASCII string>" +Domain name for authentication, sometimes needed for authentification +against Windows NT domains. - - .IP "\-\-dh <dh1/dh2/dh5>" -- Name of the IKE DH Group (default: dh2) ++ ++.IP "\-\-dh <dh1/dh2/dh5>" +Name of the IKE DH Group (default: dh2). - - .IP "\-\-pfs <nopfs/dh1/dh2/dh5/server>" -- Diffie-Hellman group to use for PFS, one of nopfs, dh1, dh2, dh5 or -- server (default: server). ++ ++.IP "\-\-pfs <nopfs/dh1/dh2/dh5/server>" +Diffie-Hellman group to use for PFS, one of nopfs, dh1, dh2, dh5 or +server (default: server). - - .IP "\-\-enable\-1des" -- Enables weak Single DES encryption ++ ++.IP "\-\-enable\-1des" +Enables weak Single DES encryption. - - .IP "\-\-application\-version <ASCII string>" -- Application Version to report to the server when identifying ourself -- (default: Cisco Systems VPN Client <vpnc-version>) ++ ++.IP "\-\-application\-version <ASCII string>" +Application Version to report to the server when identifying ourself +(default: Cisco Systems VPN Client <vpnc-version>). - - .IP "\-\-ifname <ASCII string>" -- The virtual name of the Linux network interface assigned to the tunnel -- endpoint ++ ++.IP "\-\-ifname <ASCII string>" +The virtual name of the network interface assigned to the tunnel -+endpoint (default: first available tunX). - - .IP "\-\-debug <0/1/2/3/99>" -- Show verbose debug messages with different verbosity levels ++endpoint (default: first available tunX). [Linux only] ++ ++.IP "\-\-debug <0/1/2/3/99>" +Show verbose debug messages with different verbosity levels. - - .IP "\-\-no\-detach" -- Don't detach from the console (go to background) after login ++A level 99 transscript contains username and password, so ++do NEVER give those files away (use debug 3 instead). ++ ++.IP "\-\-no\-detach" +Don't detach from the console (go to background) after login. - - .IP "\-\-pid\-file <filename>" -- Store the pid of background process in a file ++ ++.IP "\-\-pid\-file <filename>" +Store the pid of background process in a file. - - .IP "\-\-local-port <0-65535>" -- Local ISAKMP port number to use (0 == use random port, 500 is default) ++ ++.IP "\-\-local-port <0-65535>" +Local ISAKMP port number to use (0 == use random port, 500 is default). - - .IP "\-\-non-inter" -- Don't ask anything, exit on missing options ++ ++.IP "\-\-non-inter" +Don't ask anything, exit on missing options. - ++ .IP "\-\-print\-config" - Prints your configuration; output can be used as vpnc.conf +Prints your configuration; output can be used as vpnc.conf. ++ ++.IP "\-\-udp" ++Use Cisco-UDP encapsulation of IPSEC traffic. ++ ++.IP "\-\-udp-port" ++Local UDP Encapsulation Port number to use (0 == use random port) ++ ++.IP "\-\-disable-natt" ++Disable use of NAT-T ++ ++.IP "\-\-xauth-inter" ++Enable interactive extended authentification (for challenge ++response auth). ++ + +-See output of +-.B vpnc \-\-long\-help +-for a complete description .SH FILES -.I /etc/vpnc.conf @@ -145,7 +189,7 @@ .B IPSec secret and .B Xauth password -@@ -175,7 +163,7 @@ +@@ -96,7 +183,7 @@ for further details. .RE @@ -154,7 +198,31 @@ .RS The vpnc\-connect will read configuration files in this directory when the config script name (without .conf) is specified on the command line. -@@ -234,8 +222,8 @@ +@@ -129,7 +216,7 @@ + See also the + .B \-\-print\-config + option to generate a config file, and the example file in the package +-documentation directory where more advanced usage is demonstrated. ++documentation directory where more advanced usage is described. + + Advanced features like manual setting of multiple target routes is + documented in the example files of the vpnc package. +@@ -143,18 +230,17 @@ + + .SH AUTHOR + This man-page has been written by Eduard Bloch <blade(at)debian.org> and +-Christian Lackas <delta(at)lackas.net>, based on vpnc README by +-Maurice Massar <vpnc(at)unix\-ag.uni\-kl.de>. +-Permission is +-granted to copy, distribute and/or modify this document under +-the terms of the GNU General Public License, Version 2 any +-later version published by the Free Software Foundation. ++Christian Lackas <delta(at)lackas.net>, based on the vpnc README by ++Maurice Massar <vpnc(at)unix\-ag.uni\-kl.de> and his source code. ++Permission is granted to copy, distribute and/or modify this document ++under the terms of the GNU General Public License, Version 2 any later ++version published by the Free Software Foundation. + .PP On Debian systems, the complete text of the GNU General Public License can be found in /usr/share/common\-licenses/GPL. .SH "SEE ALSO" diff -urN /usr/ports/security/vpnc/files/patch-vpnc.c vpnc/files/patch-vpnc.c --- /usr/ports/security/vpnc/files/patch-vpnc.c Fri May 14 10:04:39 2004 +++ vpnc/files/patch-vpnc.c Thu Jan 1 01:00:00 1970 @@ -1,13 +0,0 @@ ---- vpnc.c.dist Mon May 3 14:13:05 2004 -+++ vpnc.c Mon May 3 14:13:41 2004 -@@ -2162,8 +2162,8 @@ - else - read_config_file (argv[i], config, 0); - -- read_config_file ("/etc/vpnc/default.conf", config, 1); -- read_config_file ("/etc/vpnc.conf", config, 1); -+ read_config_file ("%%PREFIX%%/etc/vpnc/default.conf", config, 1); -+ read_config_file ("%%PREFIX%%/etc/vpnc.conf", config, 1); - - if (!print_config) { - if (!config[CONFIG_IKE_DH]) -- http://www.lackas.net/ >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200411171444.iAHEioM4079252>