[strongSwan] Changing IKE port
Tobias Brunner
tobias at strongswan.org
Thu Jul 14 09:54:19 CEST 2016
Hi Eric,
> Sorry. Here is a the complete log. This time, I recompiled Strongswan
> with socket-dynamic plugin.
You don't need the socket-dynamic plugin. That's only needed if you
want do use multiple different source ports (leftikeport).
As you can see in the log the client does not send the packet with a
non-ESP marker:
> Jul 13 18:44:44 ikev2 charon: 03[NET] received packet => 184 bytes @
> 0xafaa49f0
> Jul 13 18:44:44 ikev2 charon: 03[NET] 0: 46 F9 B2 43 68 DA 95 DA 00
> 00 00 00 00 00 00 00 F..Ch...........
Instead it starts directly with the initiator SPI and the zeroed
responder SPI. Because neither source nor destination port is 500 and
the marker is not found charon drops the packet.
The problem is that if neither port is 500 there won't be any port
floating to port 4500 if a NAT is detected between the two peers. So if
UDP encapsulation is enabled on this connection due to a NAT (with
MOBIKE this could happen suddenly if the client is mobile and moves
behind a NAT router) IKE messages couldn't be distinguished from UDP
encapsulated ESP packets on the same ports. So the daemon always
assumes that if neither port is 500 a non-ESP marker is prepended to the
IKE message. That's how it sends its own messages anyway. I guess as
receiver we could be a bit more lenient and just try to process the
packet, but unless the client starts adding the marker if a NAT is
detected the connection might be broken later.
Regards,
Tobias
More information about the Users
mailing list