[Swan] [PATCH, RFC] libreswan 3.17 incorrectly replying with dstport 500 during IKEv2 setup
Paul Wouters
paul at nohats.ca
Wed Jun 8 12:51:48 UTC 2016
On Thu, 2 Jun 2016, Daniel J Blueman wrote:
> Using the current libreswan release in the core CentOS 6 repo
> (libreswan-3.15-5.3) with a road-warrior configuration [1] with a
> Windows 10 client and cert auth, I'm seeing libreswan reply to the
> initial IKEv2 setup packets on port 500, rather than the correct
> source port, needed to pass through routers; we see:
>
> 19:45:16.061582 IP 66.96.193.199.1024 > 195.119.250.13.500: isakmp:
> parent_sa ikev2_init[I]
> 19:45:16.071924 IP 195.119.250.13.500 > 66.96.193.199.500: isakmp:
> parent_sa ikev2_init[R]
That should not happen. It is clearly a bug.
> This issue occurs on libreswan 3.17 also, so I traced back the
> incorrect remote port number to the connection lookup code, clearly
> the right section in the debug logs [2]. Rewriting the port number [3]
> fixes the behaviour.
If we are not switching connections, it should not have the wrong port.
But since this is IKE_INIT, I would not expect it to switch connections
at all.
I'm looking into issue.
Paul
More information about the Swan
mailing list