ike_sa_init on port 4500

Discussion:

tsaitgaist

2011-02-23 22:06:38 UTC

Hi,

I try to configure an IPsec client using strongswan.
I don't know the IPsec server, but I know the connection details.
But the server only listens to port 4500
Normally strongswan sends the ike_sa_init on port 500 and then switches
to port 4500.
Is it possible to make strongswan send message 1 ike_sa_init on port
4500 instead of 500 ?
I couldn't make it work using /rightprotoport, /nat_traversal, mobike or
keyexchange
It does not even need to add the additional zeros as described in
http://tools.ietf.org/html/draft-eronen-ipsec-ikev2-clarifications-02#section-6.7

thanks,
tsaitgaist

tsaitgaist

2011-02-23 22:15:37 UTC

Permalink

edit : it does need the 4 zeros at the beginning to tell it's not an esp
packet

sorry,
tsaitgaist

Post by tsaitgaist
Hi,
I try to configure an IPsec client using strongswan.
I don't know the IPsec server, but I know the connection details.
But the server only listens to port 4500
Normally strongswan sends the ike_sa_init on port 500 and then switches
to port 4500.
Is it possible to make strongswan send message 1 ike_sa_init on port
4500 instead of 500 ?
I couldn't make it work using /rightprotoport, /nat_traversal, mobike or
keyexchange
It does not even need to add the additional zeros as described in
http://tools.ietf.org/html/draft-eronen-ipsec-ikev2-clarifications-02#section-6.7
thanks,
tsaitgaist
_______________________________________________
Users mailing list
https://lists.strongswan.org/mailman/listinfo/users

Martin Willi

2011-02-24 08:26:46 UTC

Permalink

Hi,

Post by tsaitgaist
Is it possible to make strongswan send message 1 ike_sa_init on port
4500 instead of 500 ?

Yes, starting with 4.4.0, charon supports the left-/rightikeport
ipsec.conf options. Setting rightikeport=4500 initiates directly to port
4500.

Post by tsaitgaist
it does need the 4 zeros at the beginning to tell it's not an esp

To add the non-esp marker, use a local port different from 500 by
setting leftikeport=4500, too.

The default socket listens on port 500 and 4500 only, so any different
leftikeport won't work. There is a special initiator-only socket
implementation called socket-dynamic, binding the sockets on demand. But
it shouldn't be required if you stick to port 4500.

Regards
Martin

Yaron Sheffer

2011-02-24 21:27:45 UTC

Permalink

Hi tsaitgaist,

just a quick educational rant, please don't take it personally:

you are referring to a 5-year old Internet draft, version -02 of
draft-eronen-.... Internet drafts are, as the name implies, temporary.
They expire after 6 months and normally should not be cited as
references. If you look at the top of the document you cite, you can see
it was eventually replaced by a (permanent) RFC,
http://tools.ietf.org/html/rfc4718. If you follow that link, you will
see that RFC 4718 was recently obsoleted by
http://tools.ietf.org/html/rfc5996. RFC 5996 is the authoritative text
on IKEv2 right now.

Thanks,
Yaron

Message: 5
Date: Wed, 23 Feb 2011 23:06:38 +0100
Subject: [strongSwan] ike_sa_init on port 4500
Content-Type: text/plain; charset="iso-8859-1"
Hi,
I try to configure an IPsec client using strongswan.
I don't know the IPsec server, but I know the connection details.
But the server only listens to port 4500
Normally strongswan sends the ike_sa_init on port 500 and then switches
to port 4500.
Is it possible to make strongswan send message 1 ike_sa_init on port
4500 instead of 500 ?
I couldn't make it work using /rightprotoport, /nat_traversal, mobike or
keyexchange
It does not even need to add the additional zeros as described in
http://tools.ietf.org/html/draft-eronen-ipsec-ikev2-clarifications-02#section-6.7
thanks,
tsaitgaist

tsaitgaist

2011-02-25 10:01:42 UTC

Permalink

Hi Yaron,

You're totally right. I did a lot of errors.
I also only looked at the wiki doc, which only tells about leftikeport,
but not the right side.
I searched in the source after having posted, where rightikeport is.
I even found the dynamic socket plugin which also handles the non-ESP
marker.
I sent to the mailing list far to soon. I will look deeper before asking
stupid questions.

Thanks for your help,
tsaitgaist

Post by Yaron Sheffer
Hi tsaitgaist,
you are referring to a 5-year old Internet draft, version -02
Thanks,
Yaron

Yang Su

2011-02-25 12:19:09 UTC

Permalink

I try to understand the interaction between multicast/broadcast with IPsec
tunnel mode.

For the cases below, IPsec tunnel(s) are set up between gateway routers
(RA, RB, RC, RD). All the hosts in the all the subnets have joined the same
multicast group. All the SA's are set up manually. The question is whether
multicast/broadcast work over IPsec tunnels.

Case-1:
--------

subnet1 -- RA ------ RB -- subnet2

With manual SA, multicast should be able work for the above scenario, e.g.,
multicast packets from subnet1 can reach hosts in subnet2.

Case-2:
--------
RB -- subnet2
/
/
subnet1 -- RA --RC -- subnet3
\
\
RD -- subnet4

Multicast will never work for this setup.

Do you think if my understanding make sense, especially for the case2?

Thank you,
Yang Su