[Swan] How to let "PLUTO_PEER_PROTOCOL" and "PLUTO_MY_PROTOCOL" to be 17 (UDP) ?

Paul Wouters paul at nohats.ca
Sun Nov 1 08:38:49 UTC 2015 

See leftprotoport= and rightprotopprt= described in the ipsec.conf man page

Sent from my iPhone

> On Nov 1, 2015, at 12:38, ChenHao <earthlovepython at outlook.com> wrote:
> 
> Hi All:
> 
> /var/log/pluto.log writes:
> =========================
> | peer client is fd6f:d30:1bb6:b419::1
> 
> | peer client protocol/port is 17/0
> 
> | our client is fd1d:d30:1bb6:b419::1
> 
> | our client protocol/port is 17/0
> 
> "ip6.tun0" #113: the peer proposed: fd1d:d30:1bb6:b419::1/128:0/0 -> fd6f:d30:1bb6:b419::1/128:0/0
> 
> | find_client_connection starting with ip6.tun0
> 
> |   looking for fd1d:d30:1bb6:b419::1/128:17/0 -> fd6f:d30:1bb6:b419::1/128:17/0
> 
> 
> 
> Because "0/0" is NOT "17/0", find_client_connection() return NULL. As a result, quick_inI1_outR1_authtail() fail "cannot respond to IPsec SA request because no connection is known for" && "sending encrypted notification INVALID_ID_INFORMATION to"
> 
> 
> 
> Question:  how to set local protocol to 17 (UDP) instead of 0? 
> 
> 
> 
> 
> 
> 
> 
> Corresponding source code:
> 
> ==================
> 
> quick_inI1_outR1_authtail()
> 
> {
> 
> ……
> 
>                                 libreswan_log("the peer proposed: %s:%d/%d -> %s:%d/%d",
> 
>                                                       s1, c->spd.this.protocol, c->spd.this.port,      ç== “spd” is “struct spd_route”
> 
>                                                       d1, c->spd.that.protocol, c->spd.that.port);
> 
> ……
> 
> }
> 
>  
> 
> quick_inI1_outR1_authtail() calls find_client_connection()
> 
>  
> 
> find_client_connection()
> 
> {
> 
> ….
> 
>                                 DBG_log("  looking for %s:%d/%d -> %s:%d/%d",
> 
>                                                 s1, our_protocol, our_port,
> 
>                                                 d1, peer_protocol, peer_port);
> 
> ….
> 
>                                                 if (samesubnet(&sr->this.client, our_net) &&
> 
>                                                                 samesubnet(&sr->that.client, peer_net) &&
> 
>                                                                 sr->this.protocol == our_protocol &&    ç== Does NOT match. “sr” is “struct spd_route”. As a result, failed.
> 
>                                                                 (!sr->this.port ||
> 
>                                                                                 sr->this.port == our_port) &&
> 
>                                                                 (sr->that.protocol == peer_protocol) &&
> 
>                                                                 (!sr->that.port ||
> 
>                                                                                 sr->that.port == peer_port)) {
> 
>                                                                 passert(oriented(*c));
> 
>                                                                 if (routed(sr->routing))
> 
>                                                                                 return c;    ç == We expect return here, but ….
> 
>  
> 
>                                                                 unrouted = c;
> 
>                                                 }
> 
> ….
> 
> }
> 
>  
> 
> “spd.this.protocol” is same as “sr->this.protocol”
> 
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20151101/5a7e7458/attachment.html>

More information about the Swan mailing list