Bug 1989050

Summary: tcp-remoteport does not work
Product: Red Hat Enterprise Linux 8 Reporter: Ondrej Moriš <omoris>
Component: libreswanAssignee: Daiki Ueno <dueno>
Status: CLOSED NOTABUG QA Contact: Ondrej Moriš <omoris>
Severity: unspecified Docs Contact: Mirek Jahoda <mjahoda>
Priority: low    
Version: 8.5Keywords: Triaged
Target Milestone: beta   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
.IKE over TCP connections do not work on custom TCP ports The `tcp-remoteport` Libreswan configuration option does not work properly. Consequently, an IKE over TCP connection cannot be established when a scenario requires specifying a non-default TCP port.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-16 17:48:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ondrej Moriš 2021-08-02 10:03:46 UTC 
Description of problem:

Since RHEL-8.4 (libreswan-4.3) IKE over TCP is supported. When a default TCP ports are used, it works. But libreswan also supports specifying custom TCP remote port (ephemeral port is used on local side) by using tcp-remoteport= option. Unfortunately, this option does not work, connection cannot be established.

Version-Release number of selected component (if applicable):

libreswan-4.4-1.el8

How reproducible:

100%

Steps to Reproduce:

0. Enable domain_can_mmap_files and nis_enabled selinux booleans.

1. Configure libreswan to use IKE over TCP:

version 2.0

config setup
 plutodebug="all"
 logappend=no
 plutostderrlog="/tmp/pluto.log"
 listen-tcp=yes
 
conn test
 authby=secret
 left=10.0.138.68    # CLIENT
 right=10.0.137.172  # SERVER
 ikev2=insist
 enable-tcp=yes
 tcp-remoteport=4300 # ONLY ON CLIENT

2. Start ipsec service and add 'test' connection on both sides:

# service ipsec start
# ipsec auto --add test

3. Initiate connection on client side:

# ipsec auto --up test

Actual results:

003 ERROR: "test" #1: TCP: connect(25) failed. Errno 111: Connection refused
002 "test" #1: deleting state (STATE_PARENT_I0) aged 0.00294s and NOT
sending notification
002 "test" #1: deleting IKE SA but connection is supposed to remain
up; schedule EVENT_REVIVE_CONNS

Expected results:

Connection can be established and and 4300 port is used for IKE on the server side and ephemeral port on the client side.
Comment 1 Ondrej Moriš 2021-08-02 10:09:37 UTC 
FYI, briefly discusses with upstream folks and this issue is also present in upstream and it looks like tcp-remoteport never worked and it might be removed in favour of {left,right}ikeport= options (used only for UDP now).
Comment 6 Ondrej Moriš 2023-01-16 17:48:23 UTC 
It turns out that this is actually not a bug but rather a misconfiguration. One needs to use rightikeport=4300 on the opposite side of a connection to make tpc-remoteport=4300 work and with that it works already in libreswan-4.6 present in RHEL-9.0.