Bug 1015803

Summary: patch to allow to connect to an alcatel vpn concentrator
Product: [Fedora] Fedora Reporter: Laurent Jacquot <jk>
Component: vpncAssignee: Christian Krause <chkr>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: chkr, fschwarz, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-08 11:36:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
vpnc-0.5.3-17.fix-alcatel.patch none

Description Laurent Jacquot 2013-10-05 16:15:05 UTC
I've carried this homemade patch for a very long time, maybe it could be usefull to others..


They are needed to connect to an Alcatel-Lucent Brick VPN Concentrator, I've made them after reading the post on vpnc-devel from Paolo Fiorillo in 2010:

I'm trying to connect VPNC client with Alcatel-Lucent Brick VPN Concentrator.

The result is: response was invalid [2]:  (ISAKMP_N_INVALID_SPI)(11)

The SPI size of the reply is 8.
In the VPNC code:

if (reject == 0 && rp->u.sa.proposals->u.p.spi_size != 0) reject = ISAKMP_N_INVALID_SPI;
if (reject == 0 && rp->u.sa.proposals->u.p.spi_size != 4) reject = ISAKMP_N_INVALID_SPI;

Does it means that value different form 0 and 4 are invalid??

From the RFC 2407, section 3.5 Proposal Payload:

the SPI Size is irrelevant and MAY be from zero (0) to sixteen (16)

Comment 1 Laurent Jacquot 2013-10-05 16:15:43 UTC
Created attachment 808165 [details]
vpnc-0.5.3-17.fix-alcatel.patch

Comment 2 Felix Schwarz 2014-11-02 14:10:45 UTC
(Disclaimer: I'm no vpnc expert nor the Fedora vpnc maintainer)

Did you try to submit your patch upstream? As per Fedora's policies this should be done first. Adding a Fedora patch might be acceptable to bridge the time until the next upstream release or to fix a critical issue but as a package maintainer I'd be uneasy to just add a new patch.

Comment 3 Laurent Jacquot 2014-11-02 21:05:53 UTC
No I didn't because it is a very quick and dirty patch: I removed what got in the way to allow connection. It's nowhere near ready for uptream, but I thought it could be usefull to people having the same issue as me.

I have no more access to the alcatel concentrator => mark as CLOSED ?

Comment 4 Felix Schwarz 2014-11-02 21:27:17 UTC
Thank you very much for your feedback.

It's not my call (as I'm not a vpnc maintainer) but personally I'd say that Fedora packages should only ship upstream-ready code unless for a very good reason (=> not a valid Fedora bug IMHO).

Now vpnc upstream might be difficult to work with (not much communication, no releases, no bug tracker) but maybe you could send your patch+info on the upstream mailing list (https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel) with a short notice about the current state. I guess that way you'd help most people because future developers will check that more likely than the Fedora bugzilla.

Comment 5 Felix Schwarz 2014-11-08 11:36:39 UTC
As I co-maintain vpnc now I close this bug as we should not ship hacky patches. Still I'd encourage you to post your changes upstream.

Comment 6 Laurent Jacquot 2014-11-08 20:19:56 UTC
acked, I'll try to find time to report it upstream