[Openswan Users] Bug in Openswan that sends IKE packets from random ports (not source port 500)

Alex Strawman alexstrawman at gmail.com
Sun Jun 22 06:04:31 EDT 2008 

Hi there,


I have several tunnels that work just fine, but some times, when i change
the default route of the box, it has problems re initializing some of the
tunnels (not all of the tunnels to all hosts).

when i look at the packets, its sending the IKE packets from a source port
of 9 (this changes, not sure why) rather than source port of 500.

When the IKE daemon on the other end receives the packet, it ignores it and
doesn't process it (even though the packet arrives [its not a firewall issue
restricting on source 500 to dest 500[)

Any thoughts on this?

If i restart IKE the problem doesn't stop, it re-occurs, and uses source
port 9 again (as i mentioned, its not always 9, some times its port 1, or
3..)
perhaps 9 is the number of tunnels it has loaded at the time it fails?
because some of the tunnels are ok, and send from port 500, but others, use
port 9 (or 1 3 etc...)

So i don't believe its a config issue, because a reboot of the box fixes the
problem, and it starts to send from port 500, as it did before the routes
were mixed with..


Openswan is compiled statically in the kernel, so i cant unload/reload the
modules to see if that fixes the problem, my guess is it would .. however
the platform i have to administrate here enforces static kernels...

example packet is below (its tcpdump -s1515 -nv -X) with the data cut off,
note the source port 100.10.x.y.9...



09:00:30.499168 IP (tos 0x0, ttl  54, id 0, offset 0, flags [DF], proto: UDP
(17), length: 204) 100.10.x.y.9 > 100.20.x.y.500: isakmp 1.0 msgid : phase 1
I ident:
   (sa: doi=ipsec situation=identity
       (p: #0 protoid=isakmp transform=4
           (t: #0 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth value=rsa
sig)(type=group desc value=0005))
           (t: #1 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth value=rsa
sig)(type=group desc value=0005))
           (t: #2 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth value=rsa
sig)(type=group desc value=modp1024))
           (t: #3 id=ike (type=lifetype value=sec)(type=lifeduration
value=0e10)(type=enc value=3des)(type=hash value=md5)(type=auth value=rsa
sig)(type=group desc value=modp1024))))



Thanks in advance.

Alex
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20080622/63c9cdcd/attachment.html

More information about the Users mailing list