Bug 1015803 - patch to allow to connect to an alcatel vpn concentrator
patch to allow to connect to an alcatel vpn concentrator
Product: Fedora
Classification: Fedora
Component: vpnc (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Christian Krause
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2013-10-05 12:15 EDT by Laurent Jacquot
Modified: 2014-11-08 15:19 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-11-08 06:36:39 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
vpnc-0.5.3-17.fix-alcatel.patch (2.08 KB, patch)
2013-10-05 12:15 EDT, Laurent Jacquot
no flags Details | Diff

  None (edit)
Description Laurent Jacquot 2013-10-05 12:15:05 EDT
I've carried this homemade patch for a very long time, maybe it could be usefull to others..

They are needed to connect to an Alcatel-Lucent Brick VPN Concentrator, I've made them after reading the post on vpnc-devel from Paolo Fiorillo in 2010:

I'm trying to connect VPNC client with Alcatel-Lucent Brick VPN Concentrator.

The result is: response was invalid [2]:  (ISAKMP_N_INVALID_SPI)(11)

The SPI size of the reply is 8.
In the VPNC code:

if (reject == 0 && rp->u.sa.proposals->u.p.spi_size != 0) reject = ISAKMP_N_INVALID_SPI;
if (reject == 0 && rp->u.sa.proposals->u.p.spi_size != 4) reject = ISAKMP_N_INVALID_SPI;

Does it means that value different form 0 and 4 are invalid??

From the RFC 2407, section 3.5 Proposal Payload:

the SPI Size is irrelevant and MAY be from zero (0) to sixteen (16)
Comment 1 Laurent Jacquot 2013-10-05 12:15:43 EDT
Created attachment 808165 [details]
Comment 2 Felix Schwarz 2014-11-02 09:10:45 EST
(Disclaimer: I'm no vpnc expert nor the Fedora vpnc maintainer)

Did you try to submit your patch upstream? As per Fedora's policies this should be done first. Adding a Fedora patch might be acceptable to bridge the time until the next upstream release or to fix a critical issue but as a package maintainer I'd be uneasy to just add a new patch.
Comment 3 Laurent Jacquot 2014-11-02 16:05:53 EST
No I didn't because it is a very quick and dirty patch: I removed what got in the way to allow connection. It's nowhere near ready for uptream, but I thought it could be usefull to people having the same issue as me.

I have no more access to the alcatel concentrator => mark as CLOSED ?
Comment 4 Felix Schwarz 2014-11-02 16:27:17 EST
Thank you very much for your feedback.

It's not my call (as I'm not a vpnc maintainer) but personally I'd say that Fedora packages should only ship upstream-ready code unless for a very good reason (=> not a valid Fedora bug IMHO).

Now vpnc upstream might be difficult to work with (not much communication, no releases, no bug tracker) but maybe you could send your patch+info on the upstream mailing list (https://lists.unix-ag.uni-kl.de/mailman/listinfo/vpnc-devel) with a short notice about the current state. I guess that way you'd help most people because future developers will check that more likely than the Fedora bugzilla.
Comment 5 Felix Schwarz 2014-11-08 06:36:39 EST
As I co-maintain vpnc now I close this bug as we should not ship hacky patches. Still I'd encourage you to post your changes upstream.
Comment 6 Laurent Jacquot 2014-11-08 15:19:56 EST
acked, I'll try to find time to report it upstream

Note You need to log in before you can comment on or make changes to this bug.