[Swan] [PATCH, RFC] libreswan 3.17 incorrectly replying with dstport 500 during IKEv2 setup

Daniel J Blueman daniel at quora.org
Thu Jun 2 00:22:45 UTC 2016 

Hi to all!

Using the current libreswan release in the core CentOS 6 repo
(libreswan-3.15-5.3) with a road-warrior configuration [1] with a
Windows 10 client and cert auth, I'm seeing libreswan reply to the
initial IKEv2 setup packets on port 500, rather than the correct
source port, needed to pass through routers; we see:

19:45:16.061582 IP 66.96.193.199.1024 > 195.119.250.13.500: isakmp:
parent_sa ikev2_init[I]
19:45:16.071924 IP 195.119.250.13.500 > 66.96.193.199.500: isakmp:
parent_sa ikev2_init[R]

This issue occurs on libreswan 3.17 also, so I traced back the
incorrect remote port number to the connection lookup code, clearly
the right section in the debug logs [2]. Rewriting the port number [3]
fixes the behaviour.

What would be the correct approach here?

Many thanks!
  Daniel

-- [1] /etc/ipsec.d/tunnel.conf

conn tunnel
        left=195.119.250.13
        leftcert=box
        leftid=@box.foo
        leftsendcert=always
        leftsubnet=0.0.0.0/0
        leftrsasigkey=%cert
        right=%any
       rightaddresspool=192.168.66.10-192.168.66.199
        rightca=%same
        rightrsasigkey=%cert
        ike=aes256-sha2_384;modp1024 # Windows 10
        narrowing=yes
        dpddelay=30
        dpdtimeout=120
        dpdaction=clear
        auto=add
        ikev2=insist
        rekey=no
        fragmentation=yes

-- [2]

find_host_connection me=195.119.250.13:500 him=175.156.179.109:1024
policy=RSASIG+IKEV2_ALLOW
find_host_pair: comparing 195.119.250.13:500 to 0.0.0.0:500
find_host_pair_conn: 195.119.250.13:500 175.156.179.109:1024 -> hp:none
find_next_host_connection policy=RSASIG+IKEV2_ALLOW
find_next_host_connection returns empty
find_host_connection me=195.119.250.13:500 him=%any:1024
policy=RSASIG+IKEV2_ALLOW
find_host_pair: comparing 195.119.250.13:500 to 0.0.0.0:500
find_host_pair_conn: 195.119.250.13:500 %any:1024 -> hp:tunnel
find_next_host_connection policy=RSASIG+IKEV2_ALLOW
found policy = RSASIG+ENCRYPT+TUNNEL+PFS+DONT_REKEY+IKEV2_ALLOW+IKEV2_PROPOSE+IKEV2_ALLOW_NARROWING+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
(tunnel)
find_next_host_connection returns tunnel
find_host_pair: comparing 195.119.250.13:500 to 0.0.0.0:500
connect_to_host_pair: 195.119.250.13:500 175.156.179.109:500 -> hp:none
rw_instantiate() instantiated "tunnel"[1] 175.156.179.109 for 175.156.179.109
found connection: tunnel with policy RSASIG+IKEV2_ALLOW
find_host_pair: comparing 195.119.250.13:500 to 175.156.179.109:500
find_host_pair: comparing 195.119.250.13:500 to 0.0.0.0:500
find_host_pair_conn: 195.119.250.13:500 %any:1024 -> hp:tunnel

-- [3]

--- a/programs/pluto/connections.c
+++ b/programs/pluto/connections.c
@@ -2558,6 +2558,7 @@ stf_status ikev2_find_host_connection( struct
connection **cp,
                                                        !(d->policy &
POLICY_OPPORTUNISTIC)) {
                                                /* must be Road
Warrior: we have a winner */
                                                c = d;
+                                               c->spd.that.host_port
= his_port;
                                                break;
                                        }
-- 
Daniel J Blueman

More information about the Swan mailing list