Re: [Swan] How to let "PLUTO_PEER_PROTOCOL" and "PLUTO_MY_PROTOCOL" to be 17 (UDP) ?

Sun, 01 Nov 2015 01:40:10 -0700 

See leftprotoport= and rightprotopprt= described in the ipsec.conf man page

Sent from my iPhone

> On Nov 1, 2015, at 12:38, ChenHao <[email protected]> wrote:
> 
> Hi All:
> 
> /var/log/pluto.log writes:
> =========================
> | peer client is fd6f:d30:1bb6:b419::1
> 
> | peer client protocol/port is 17/0
> 
> | our client is fd1d:d30:1bb6:b419::1
> 
> | our client protocol/port is 17/0
> 
> "ip6.tun0" #113: the peer proposed: fd1d:d30:1bb6:b419::1/128:0/0 -> 
> fd6f:d30:1bb6:b419::1/128:0/0
> 
> | find_client_connection starting with ip6.tun0
> 
> |   looking for fd1d:d30:1bb6:b419::1/128:17/0 -> 
> fd6f:d30:1bb6:b419::1/128:17/0
> 
> 
> 
> Because "0/0" is NOT "17/0", find_client_connection() return NULL. As a 
> result, quick_inI1_outR1_authtail() fail "cannot respond to IPsec SA request 
> because no connection is known for" && "sending encrypted notification 
> INVALID_ID_INFORMATION to"
> 
> 
> 
> Question:  how to set local protocol to 17 (UDP) instead of 0? 
> 
> 
> 
> 
> 
> 
> 
> Corresponding source code:
> 
> ==================
> 
> quick_inI1_outR1_authtail()
> 
> {
> 
> ……
> 
>                                 libreswan_log("the peer proposed: %s:%d/%d -> 
> %s:%d/%d",
> 
>                                                       s1, 
> c->spd.this.protocol, c->spd.this.port,      ç== “spd” is “struct spd_route”
> 
>                                                       d1, 
> c->spd.that.protocol, c->spd.that.port);
> 
> ……
> 
> }
> 
>  
> 
> quick_inI1_outR1_authtail() calls find_client_connection()
> 
>  
> 
> find_client_connection()
> 
> {
> 
> ….
> 
>                                 DBG_log("  looking for %s:%d/%d -> %s:%d/%d",
> 
>                                                 s1, our_protocol, our_port,
> 
>                                                 d1, peer_protocol, peer_port);
> 
> ….
> 
>                                                 if 
> (samesubnet(&sr->this.client, our_net) &&
> 
>                                                                 
> samesubnet(&sr->that.client, peer_net) &&
> 
>                                                                 
> sr->this.protocol == our_protocol &&    ç== Does NOT match. “sr” is “struct 
> spd_route”. As a result, failed.
> 
>                                                                 
> (!sr->this.port ||
> 
>                                                                               
>   sr->this.port == our_port) &&
> 
>                                                                 
> (sr->that.protocol == peer_protocol) &&
> 
>                                                                 
> (!sr->that.port ||
> 
>                                                                               
>   sr->that.port == peer_port)) {
> 
>                                                                 
> passert(oriented(*c));
> 
>                                                                 if 
> (routed(sr->routing))
> 
>                                                                               
>   return c;    ç == We expect return here, but ….
> 
>  
> 
>                                                                 unrouted = c;
> 
>                                                 }
> 
> ….
> 
> }
> 
>  
> 
> “spd.this.protocol” is same as “sr->this.protocol”
> 
> 
> 
> 
> 
> 
> 
> 
> 
> _______________________________________________
> Swan mailing list
> [email protected]
> https://lists.libreswan.org/mailman/listinfo/swan

_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan

Reply via email to