[Swan] ikev2 response dst port incorrect when request src port != 500

Fabian van der Werf fvanderwerf at gmail.com
Fri Mar 4 15:22:03 UTC 2016


Hi all,

I am testing vpn connection from a windows client behind a NAT to a
publicly accessible server running libreswan 3.16. When the initiator
request reaches libreswan the source address is not 500 because of the NAT.
But even so, libreswan still responds to port 500. This is of course
dropped by the NAT since it doesn't have a clue how to forward this.

Check this tcpdump
16:05:17.182210 IP natIP.12286 > libreswanIP.500: isakmp: parent_sa
ikev2_init[I]
16:05:17.183377 IP libreswanIP.500 > natIP.500: isakmp: parent_sa
ikev2_init[R]
16:05:19.182310 IP natIP.12286 > libreswanIP.500: isakmp: parent_sa
ikev2_init[I]
16:05:19.183145 IP libreswanIP.500 > natIP.500: isakmp: parent_sa
ikev2_init[R]


I would expect libreswan to respond to port 12286 instead of 500.

I also looked this up in the RFC (rfc 7296)
It is a common practice of NATs to translate TCP and UDP port numbers
as well as addresses and use the port numbers of inbound packets to decide
which internal node should get a given packet. For this
reason, even though IKE packets MUST be sent to and from UDP port 500 or
4500, they MUST be accepted coming from any port and responses MUST be sent
to the port from whence they came. This is because the ports may be
modified as the packets pass through NATs. Similarly, IP addresses of the
IKE endpoints are generally not included in the IKE payloads because the
payloads are cryptographically protected and could not be transparently
modified by NATs.

Is this a bug in libreswan? Or am I missing something? A configuration
option?

Regards,
Fabian van der Werf
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160304/6ebbe863/attachment.html>


More information about the Swan mailing list