[Swan] ikev2 response dst port incorrect when request src port != 500
Paul Wouters
paul at nohats.ca
Fri Mar 4 15:38:34 UTC 2016
On Fri, 4 Mar 2016, Fabian van der Werf wrote:
> I am testing vpn connection from a windows client behind a NAT to a publicly accessible server running libreswan 3.16.
> When the initiator request reaches libreswan the source address is not 500 because of the NAT. But even so, libreswan
> still responds to port 500. This is of course dropped by the NAT since it doesn't have a clue how to forward this.
>
> Check this tcpdump
> 16:05:17.182210 IP natIP.12286 > libreswanIP.500: isakmp: parent_sa ikev2_init[I]
> 16:05:17.183377 IP libreswanIP.500 > natIP.500: isakmp: parent_sa ikev2_init[R]
> 16:05:19.182310 IP natIP.12286 > libreswanIP.500: isakmp: parent_sa ikev2_init[I]
> 16:05:19.183145 IP libreswanIP.500 > natIP.500: isakmp: parent_sa ikev2_init[R]
>
>
> I would expect libreswan to respond to port 12286 instead of 500.
So would I :)
> Is this a bug in libreswan? Or am I missing something? A configuration option?
Looks like it. Can you run with a full plutodebug=all and pastebin or
mail me (offlist) with the logs?
Paul
More information about the Swan
mailing list