[Openswan Users] libreswan 3.15 replying with dstport 500 during IKEv2 setup
Daniel J Blueman
daniel at quora.org
Wed Jun 1 06:01:06 EDT 2016
Hi to all!
Has anyone found a solution to libreswan replying to IKEv2 setup
packets with port 500, rather than the source port [1]? This obviously
cause them to be dropped by stateful firewalls/NAT.
I'm using the current libreswan release in the core CentOS 6 repo
(libreswan-3.15-5.3) with a road-warrior configuration [1] with a
Windows 10 client with cert auth.
The some of port assignments look suspicious in the output of 'ipsec
pluto --stderrlog --config /etc/ipsec.conf --nofork --debug-all', but
the output without '--debug-all' looks good:
Jun 1 19:52:33: "tunnel"[1] 66.96.193.199 #1: STATE_PARENT_R1:
received v2I1, sent v2R1 {auth=IKEv2 cipher=aes_256 integ=sha384_192
prf=OAKLEY_SHA2_384 group=MODP1024}
Let me know of any tips and thanks!
Daniel
-- [1] tcpdump -i eth0 -nn udp
19:45:16.061582 IP 66.96.193.199.1024 > 195.119.250.13.500: isakmp:
parent_sa ikev2_init[I]
19:45:16.071924 IP 195.119.250.13.500 > 66.96.193.199.500: isakmp:
parent_sa ikev2_init[R]
-- [2] /etc/ipsec.d/tunnel.conf
conn tunnel
left=195.119.250.13
leftcert=box
leftid=@box.foo
leftsendcert=always
leftsubnet=0.0.0.0/0
leftrsasigkey=%cert
right=%any
rightaddresspool=192.168.66.10-192.168.66.199
rightca=%same
rightrsasigkey=%cert
ike=aes256-sha2_384;modp1024 # Windows 10
narrowing=yes
dpddelay=30
dpdtimeout=120
dpdaction=clear
auto=add
ikev2=insist
rekey=no
fragmentation=yes
--
Daniel J Blueman
More information about the Users
mailing list