[Swan] IPsec ports

[Paul Wouters]

On Thu, 7 Feb 2019, Nick Howitt wrote:

> Can you clarify port usage? Does ipsec always have to be from udp:500 to
> udp:500 or can it be form high ports? Similarly, for NAT traffic is it
> to/from udp:4500 or can the from be from high ports?
> (I know there is also ESP and AH)

The IKE standard defines udp port 500 and udp port 4500 for IKE. IKEv2
allows skipping UDP 500 and initiating from UDP port 4500 without
waiting on the outcome of NAT detection. Due to NAT, no assumption
should be made about the source port of traffic, as a NAT router can
modify the original port number to another port number.

ESP can be encapsulated over UDP port 4500. Again, the source port can
be any port due to the NAT router. If both ends are behind NAT, one
endpoint will have a portforwarding enabled for UDP ports 500 and 4500.

AH was purpusefully left out of the encapsulation RFC. Use ESP with
null encryption if only integrity is to be used.

Note that RFC 8223 defines IKE and ESP over TCP as well. As this is to
be used only when UDP 500/4500 is blocked, there is no way to negotiate
the TCP port. It is assumed the port is preconfigured. The TCP stream
uses a marker for IKE/ESP, which allows framing to be used. For example,
TLS could be used over TCP port 443 to make the connection appear to be
HTTPS.

Note that TCP support is not yet present in libreswan. While we have
code ready for this, we are waiting on the linux ESPinTCP support to
be released.

In theory, IKE and ESPinUDP could be preconfigured to use a different
port. While the code tries to not assume 500/4500, there might still be
some places where this is assumed. So currently, you most likely cannot
configure IKE/ESP to run over a different UDP port, althouhg the changes
required to do this are likely very minimal.

Paul