IKE_SA_INIT packets are ignored when source port is not 500 and custom ipsec port is used #285
-
Hello, I'm trying to setup strongswan behind NAT and with custom ipsec port NAT rules:
stronswan acts as ike2 responder The problem is when IKE_SA_INIT arrives from random port, then strongswan ignores it:
and nothing happens but when IKE_SA_INIT packet arrives from source port 500, then it is processed as expected:
.... etc and connection establishes as expected stongswan.conf:
I also tried to build with --with-charon-udp-port=501 --with-charon-natt-port=4501 and gained the same result If make 1-1 NAT rules (public_udp 500-> private_udp 500) and run charon on default ports, then it works as expected in both cases. Could you please help me with any idea why does it happen and how to fix it. Thanks in advance. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 6 replies
-
Please provide complete debug logs (#196), the output of |
Beta Was this translation helpful? Give feedback.
-
Made a small patch (for 5.9.2) to check not default IKEV2_UDP_PORT but charon socket. May be this can be useful for someone. --- src/libcharon/network/receiver.c_orig 2021-03-29 22:08:57.000000000 +0300
+++ src/libcharon/network/receiver.c 2021-03-29 23:35:21.000000000 +0300
@@ -457,9 +457,9 @@
return JOB_REQUEUE_DIRECT;
}
- /* if neither source nor destination port is 500 we assume an IKE packet
- * with Non-ESP marker or an ESP packet */
- if (dst->get_port(dst) != IKEV2_UDP_PORT &&
+ /* if source is not charon.port and destination port is not 500 we assume
+ * an IKE packet with Non-ESP marker or an ESP packet */
+ if (dst->get_port(dst) != charon->socket->get_port(charon->socket, FALSE) &&
src->get_port(src) != IKEV2_UDP_PORT)
{
if (memeq(data.ptr, marker.ptr, marker.len))
--- src/libcharon/network/sender.c_orig 2021-03-29 22:08:57.000000000 +0300
+++ src/libcharon/network/sender.c 2021-03-29 23:34:31.000000000 +0300
@@ -121,9 +121,10 @@
message->destroy(message);
}
- /* if neither source nor destination port is 500 we add a Non-ESP marker */
+ /* if source port is not 500 and destination port is not charon.port we add
+ * a Non-ESP marker */
if (dst->get_port(dst) != IKEV2_UDP_PORT &&
- src->get_port(src) != IKEV2_UDP_PORT)
+ src->get_port(src) != charon->socket->get_port(charon->socket, FALSE))
{
chunk_t data, marker = chunk_from_chars(0x00, 0x00, 0x00, 0x00);
--- src/libcharon/encoding/message.c_orig 2021-03-29 22:08:57.000000000 +0300
+++ src/libcharon/encoding/message.c 2021-03-29 23:35:59.000000000 +0300
@@ -2008,7 +2008,7 @@
/* 8 (UDP header) */
REDUCE_FRAG_LEN(frag_len, 8);
if (dst->get_port(dst) != IKEV2_UDP_PORT &&
- src->get_port(src) != IKEV2_UDP_PORT)
+ src->get_port(src) != charon->socket->get_port(charon->socket, FALSE))
{ /* reduce length due to non-ESP marker */
REDUCE_FRAG_LEN(frag_len, 4);
} |
Beta Was this translation helpful? Give feedback.
Please provide complete debug logs (#196), the output of
ipsec statusall
, and your complete configuration.