2 files changed, 43 insertions, 0 deletions
diff --git a/meta-networking/recipes-connectivity/vpnc/vpnc/0009-reduce-lifetime-value.patch b/meta-networking/recipes-connectivity/vpnc/vpnc/0009-reduce-lifetime-value.patch
new file mode 100644
index 0000000000..2bed550415
--- /dev/null
+++ b/meta-networking/recipes-connectivity/vpnc/vpnc/0009-reduce-lifetime-value.patch
@@ -0,0 +1,42 @@
+From 39925f090c21ab571ebc6ec250696f7f7093a2a6 Mon Sep 17 00:00:00 2001
+From: Will Page <Will.Page@ni.com>
+Date: Wed, 30 Aug 2017 18:14:00 -0700
+Subject: [PATCH 1/1] Reduce lifetime value to widely-compatible value
+Current proposed lifetime value (2147483 seconds, which equates to
+MAXINT ms, or ~25 days) is rejected by Fortigate vpn devices because
+"peer SA proposal does not match local policy".  It seems default
+policy for these devices constrains lifetime where similar VPN devices
+don't.
+Reducing the lifetime from its current value to 28800 (exactly 8 hours)
+causes it to start working with fortigate devices.
+---
+ vpnc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+diff --git a/vpnc.c b/vpnc.c
+index 36dd0f3..3e0fcba 100644
+--- a/vpnc.c
+++ b/vpnc.c
+@@ -1135,7 +1135,7 @@ static struct isakmp_attribute *make_transform_ike(int dh_group, int crypt, int
+        a->af = isakmp_attr_lots;
+        a->u.lots.length = 4;
+        a->u.lots.data = xallocc(a->u.lots.length);
+-       *((uint32_t *) a->u.lots.data) = htonl(2147483);
+       *((uint32_t *) a->u.lots.data) = htonl(28800);
+        a = new_isakmp_attribute_16(IKE_ATTRIB_LIFE_TYPE, IKE_LIFE_TYPE_SECONDS, a);
+        a = new_isakmp_attribute_16(IKE_ATTRIB_AUTH_METHOD, auth, a);
+        a = new_isakmp_attribute_16(IKE_ATTRIB_GROUP_DESC, dh_group, a);
+@@ -2561,7 +2561,7 @@ static struct isakmp_attribute *make_transform_ipsec(struct sa_block *s, int dh_
+        a->af = isakmp_attr_lots;
+        a->u.lots.length = 4;
+        a->u.lots.data = xallocc(a->u.lots.length);
+-       *((uint32_t *) a->u.lots.data) = htonl(2147483);
+       *((uint32_t *) a->u.lots.data) = htonl(28800);
+        a = new_isakmp_attribute_16(ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE, IPSEC_LIFE_SECONDS, a);
+ 
+        if (dh_group)
+-- 
+2.7.4
diff --git a/meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb b/meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb
index 6f92acd06c..ea21799853 100644
--- a/meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb
+++ b/meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb
@@ -20,6 +20,7 @@ SRC_URI = "git://github.com/ndpgroup/vpnc \
           file://0006-sysdep-Add-header-include-sequence-to-adjust-for-mus.patch \
           file://0007-add-error-API-when-error.h-is-not-on-platform.patch \
           file://0008-include-sysdep.h-before-net-if_tun.h.patch \
+           file://0009-reduce-lifetime-value.patch \
           "
 PACKAGECONFIG ?= "gnutls"

diff --git a/meta-networking/recipes-connectivity/vpnc/vpnc/0009-reduce-lifetime-value.patch b/meta-networking/recipes-connectivity/vpnc/vpnc/0009-reduce-lifetime-value.patch new file mode 100644 index 0000000000..2bed550415 --- /dev/null +++ b/meta-networking/recipes-connectivity/vpnc/vpnc/0009-reduce-lifetime-value.patch
@@ -0,0 +1,42 @@
		1	From 39925f090c21ab571ebc6ec250696f7f7093a2a6 Mon Sep 17 00:00:00 2001
		2	From: Will Page <Will.Page@ni.com>
		3	Date: Wed, 30 Aug 2017 18:14:00 -0700
		4	Subject: [PATCH 1/1] Reduce lifetime value to widely-compatible value
		5
		6	Current proposed lifetime value (2147483 seconds, which equates to
		7	MAXINT ms, or ~25 days) is rejected by Fortigate vpn devices because
		8	"peer SA proposal does not match local policy". It seems default
		9	policy for these devices constrains lifetime where similar VPN devices
		10	don't.
		11
		12	Reducing the lifetime from its current value to 28800 (exactly 8 hours)
		13	causes it to start working with fortigate devices.
		14	---
		15	vpnc.c \| 4 ++--
		16	1 file changed, 2 insertions(+), 2 deletions(-)
		17
		18	diff --git a/vpnc.c b/vpnc.c
		19	index 36dd0f3..3e0fcba 100644
		20	--- a/vpnc.c
		21	+++ b/vpnc.c
		22	@@ -1135,7 +1135,7 @@ static struct isakmp_attribute *make_transform_ike(int dh_group, int crypt, int
		23	a->af = isakmp_attr_lots;
		24	a->u.lots.length = 4;
		25	a->u.lots.data = xallocc(a->u.lots.length);
		26	- ((uint32_t ) a->u.lots.data) = htonl(2147483);
		27	+ ((uint32_t ) a->u.lots.data) = htonl(28800);
		28	a = new_isakmp_attribute_16(IKE_ATTRIB_LIFE_TYPE, IKE_LIFE_TYPE_SECONDS, a);
		29	a = new_isakmp_attribute_16(IKE_ATTRIB_AUTH_METHOD, auth, a);
		30	a = new_isakmp_attribute_16(IKE_ATTRIB_GROUP_DESC, dh_group, a);
		31	@@ -2561,7 +2561,7 @@ static struct isakmp_attribute make_transform_ipsec(struct sa_block s, int dh_
		32	a->af = isakmp_attr_lots;
		33	a->u.lots.length = 4;
		34	a->u.lots.data = xallocc(a->u.lots.length);
		35	- ((uint32_t ) a->u.lots.data) = htonl(2147483);
		36	+ ((uint32_t ) a->u.lots.data) = htonl(28800);
		37	a = new_isakmp_attribute_16(ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE, IPSEC_LIFE_SECONDS, a);
		38
		39	if (dh_group)
		40	--
		41	2.7.4
		42


diff --git a/meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb b/meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb index 6f92acd06c..ea21799853 100644 --- a/meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb +++ b/meta-networking/recipes-connectivity/vpnc/vpnc_0.5.3.bb
@@ -20,6 +20,7 @@ SRC_URI = "git://github.com/ndpgroup/vpnc \
20	file://0006-sysdep-Add-header-include-sequence-to-adjust-for-mus.patch \	20	file://0006-sysdep-Add-header-include-sequence-to-adjust-for-mus.patch \
21	file://0007-add-error-API-when-error.h-is-not-on-platform.patch \	21	file://0007-add-error-API-when-error.h-is-not-on-platform.patch \
22	file://0008-include-sysdep.h-before-net-if_tun.h.patch \	22	file://0008-include-sysdep.h-before-net-if_tun.h.patch \
		23	file://0009-reduce-lifetime-value.patch \
23	"	24	"
24		25
25	PACKAGECONFIG ?= "gnutls"	26	PACKAGECONFIG ?= "gnutls"