[Swan-dev] protoport don't work with klips in 3.31
Wolfgang Nothdurft
wolfgang at linogate.de
Tue May 19 12:16:42 UTC 2020
Unfortunately there is another problem in the last KLIPS version 3.31, in which protoport no longer works with KLIPS.
Unfortunately I can't find which change or which commit is responsible for it.
The problem is that the eroute no longer contains the protoport and the eroute cannot be assigned:
klips_debug: ipsec_xmit_encap_bundle: shunt SA of DROP or no eroute: dropping.
klips_debug: ipsec_xsm: processing completed due to IPSEC_XMIT_STOLEN
Version 3.27 with correct port:
10.0.10.200/32:1701 -> 10.0.16.250/32:1701 => esp0xf4196b25 at 10.0.16.250: 17
Version 3.31 without port:
10.0.10.200/32 -> 10.0.16.250/32 => esp0x78ccb74c at 10.0.16.250: 17
Both X-source-flow-address and X-dest-flow-address have no port set:
klips_debug: pfkey_address_parse: found exttype = 21 (X-source-flow-address) family = 2 (AF_INET) address = 10.0.10.200 proto = 0 port = 0.
klips_debug: pfkey_address_parse: found exttype = 22 (X-dest-flow-address) family = 2 (AF_INET) address = 10.0.16.250 proto = 0 port = 0.
I know KLIPS should no longer be used, but since XFRMi is not yet fully usable for us and implementing it still requires a lot of effort, we have to rely on KLIPS again.
So at the moment I only have the option to stay at 3.27 and possibly use the most important patches and maybe some ikve2 fixes, or patch the KLIPS module, ignore the ports and if necessary, use iptables to block all connections that do not match the protoport.
Maybe you can give me a tip which change is responsible for this or whether you see a chance that the port will be passed on to KLIPS again.
Regards
Wolfgang
More information about the Swan-dev
mailing list