[Openswan Users] Wrong ISAKMP-Port

Sun Jun 19 01:04:31 CEST 2005

Hello,

i'm trying to use OpenSwan on a Intel IXP425-Processor.
Therefore, i used OpenEmbedded to compile a 2.6.11.2-kernel and openswan 2.2.0 for the IXP425.

My configuration file is the following:

version 2.0     # conforms to second version of ipsec.conf specification

config setup
 interfaces="ipsec0=ath0"
 klipsdebug=all
 plutodebug=all

conn lan
        auto=add
        authby=rsasig
        left=192.168.1.1
        leftsubnet=0.0.0.0/0
        #leftsubnet=192.168.1.0/255.255.255.0
        leftcert=cert-srv.pem
        right=%any
        rightcert=cert-clt.pem

The problem is the isakmp-port - instead of using the default port 500, openswan expects packets on port 244. i haven't found a parameter to change this.

000 "lan": 0.0.0.0/0===192.168.1.1:244[C=DE, ST=Sachsen, L=Dresden, O=Testfirma, OU=WLAN EAP, CN=Server, E=server at test.de]...%any:244[C=DE, ST=Sachsen, L=Dresden, O=Testfirma, OU=WLAN EAP, CN=Client, E=client at test.de]; unrouted; eroute owner: #0
000 "lan":   CAs: 'C=DE, ST=Sachsen, L=Dresden, O=Testfirma, OU=WLAN EAP, CN=WLAN CA, E=ca at test.de'...'C=DE, ST=Sachsen, L=Dresden, O=Testfirma, OU=WLAN EAP, CN=WLAN CA, E=ca at test.de'
000 "lan":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "lan":   policy: RSASIG+ENCRYPT+TUNNEL+PFS; prio: 0,32; interface: eth0;
000 "lan":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "lan":   IKE algorithms wanted: 5_000-1-5, 5_000-1-2, 5_000-2-5, 5_000-2-2, flags=-strict
000 "lan":   IKE algorithms found:  5_192-1_128-5, 5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
000 "lan":   ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "lan":   ESP algorithms loaded: 3_000-1, 3_000-2, flags=-strict

Because of the wrong port, i cannot establish a connection to my normal pc, because the openswan on my pc is using port 500.

My netstat looks okay:

root at ixp425:/etc/ipsec# netstat -a
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 *:sunrpc                *:*                     LISTEN
tcp        0      0 *:ssh                   *:*                     LISTEN
tcp        0     64 192.168.1.1:ssh         192.168.1.100:1027      ESTABLISHED
netstat: no support for `AF INET6 (tcp)' on this system.
udp        0      0 *:bootps                *:*
udp        0      0 *:sunrpc                *:*
udp        0      0 localhost.locald:isakmp *:*
udp        0      0 192.168.1.1:isakmp      *:*
netstat: no support for `AF INET6 (udp)' on this system.
raw        0      0 *:1                     *:*                     0
netstat: no support for `AF INET6 (raw)' on this system.

Any ideas, what the reason for this problem can be?

Thanks for you help and excuse my bad english - i'm not a native.

Greets
Daniel