On Thu, 7 Feb 2019, Nick Howitt wrote:
Can you clarify port usage? Does ipsec always have to be from udp:500 to udp:500 or can it be form high ports? Similarly, for NAT traffic is it to/from udp:4500 or can the from be from high ports? (I know there is also ESP and AH)
The IKE standard defines udp port 500 and udp port 4500 for IKE. IKEv2 allows skipping UDP 500 and initiating from UDP port 4500 without waiting on the outcome of NAT detection. Due to NAT, no assumption should be made about the source port of traffic, as a NAT router can modify the original port number to another port number. ESP can be encapsulated over UDP port 4500. Again, the source port can be any port due to the NAT router. If both ends are behind NAT, one endpoint will have a portforwarding enabled for UDP ports 500 and 4500. AH was purpusefully left out of the encapsulation RFC. Use ESP with null encryption if only integrity is to be used. Note that RFC 8223 defines IKE and ESP over TCP as well. As this is to be used only when UDP 500/4500 is blocked, there is no way to negotiate the TCP port. It is assumed the port is preconfigured. The TCP stream uses a marker for IKE/ESP, which allows framing to be used. For example, TLS could be used over TCP port 443 to make the connection appear to be HTTPS. Note that TCP support is not yet present in libreswan. While we have code ready for this, we are waiting on the linux ESPinTCP support to be released. In theory, IKE and ESPinUDP could be preconfigured to use a different port. While the code tries to not assume 500/4500, there might still be some places where this is assumed. So currently, you most likely cannot configure IKE/ESP to run over a different UDP port, althouhg the changes required to do this are likely very minimal. Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
