[Swan] [PATCH, RFC] libreswan 3.17 incorrectly replying with dstport 500 during IKEv2 setup
Daniel J Blueman
daniel at quora.org
Wed Jun 8 12:56:12 UTC 2016
On 8 Jun 2016 8:52 p.m., "Paul Wouters" <paul at nohats.ca> wrote:
>
> On Thu, 2 Jun 2016, Daniel J Blueman wrote:
>
>> Using the current libreswan release in the core CentOS 6 repo
>> (libreswan-3.15-5.3) with a road-warrior configuration [1] with a
>> Windows 10 client and cert auth, I'm seeing libreswan reply to the
>> initial IKEv2 setup packets on port 500, rather than the correct
>> source port, needed to pass through routers; we see:
>>
>> 19:45:16.061582 IP 66.96.193.199.1024 > 195.119.250.13.500: isakmp:
>> parent_sa ikev2_init[I]
>> 19:45:16.071924 IP 195.119.250.13.500 > 66.96.193.199.500: isakmp:
>> parent_sa ikev2_init[R]
>
>
> That should not happen. It is clearly a bug.
>
>
>> This issue occurs on libreswan 3.17 also, so I traced back the
>> incorrect remote port number to the connection lookup code, clearly
>> the right section in the debug logs [2]. Rewriting the port number [3]
>> fixes the behaviour.
>
>
> If we are not switching connections, it should not have the wrong port.
> But since this is IKE_INIT, I would not expect it to switch connections
> at all.
>
> I'm looking into issue.
Thanks for taking a look!
I can test out any changes as and when.
Dan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20160608/6d6e698e/attachment.html>
More information about the Swan
mailing list