[Swan] [PATCH, RFC] libreswan 3.17 incorrectly replying with dstport 500 during IKEv2 setup
Daniel J Blueman
daniel at quora.org
Wed Jun 8 12:56:12 UTC 2016
On 8 Jun 2016 8:52 p.m., "Paul Wouters" <paul at nohats.ca> wrote:
> On Thu, 2 Jun 2016, Daniel J Blueman wrote:
>> Using the current libreswan release in the core CentOS 6 repo
>> (libreswan-3.15-5.3) with a road-warrior configuration  with a
>> Windows 10 client and cert auth, I'm seeing libreswan reply to the
>> initial IKEv2 setup packets on port 500, rather than the correct
>> source port, needed to pass through routers; we see:
>> 19:45:16.061582 IP 22.214.171.124.1024 > 126.96.36.199.500: isakmp:
>> parent_sa ikev2_init[I]
>> 19:45:16.071924 IP 188.8.131.52.500 > 184.108.40.206.500: isakmp:
>> parent_sa ikev2_init[R]
> That should not happen. It is clearly a bug.
>> This issue occurs on libreswan 3.17 also, so I traced back the
>> incorrect remote port number to the connection lookup code, clearly
>> the right section in the debug logs . Rewriting the port number 
>> fixes the behaviour.
> If we are not switching connections, it should not have the wrong port.
> But since this is IKE_INIT, I would not expect it to switch connections
> at all.
> I'm looking into issue.
Thanks for taking a look!
I can test out any changes as and when.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Swan