1989050 – tcp-remoteport does not work

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1989050 - tcp-remoteport does not work

Summary: tcp-remoteport does not work

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	libreswan
Sub Component:
Version:	8.5
Hardware:	All
OS:	Linux
Priority:	low
Severity:	unspecified
Target Milestone:	beta
Target Release:	---
Assignee:	Daiki Ueno
QA Contact:	Ondrej Moriš
Docs Contact:	Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-08-02 10:03 UTC by Ondrej Moriš
Modified:	2023-01-16 17:48 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Known Issue
Doc Text:	.IKE over TCP connections do not work on custom TCP ports The `tcp-remoteport` Libreswan configuration option does not work properly. Consequently, an IKE over TCP connection cannot be established when a scenario requires specifying a non-default TCP port.
Clone Of:
Environment:
Last Closed:	2023-01-16 17:48:23 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	CRYPTO-9230	0	None	None	None	2023-01-03 07:34:51 UTC
Red Hat Issue Tracker	RHELPLAN-91836	0	None	None	None	2021-08-02 10:06:16 UTC

Description Ondrej Moriš 2021-08-02 10:03:46 UTC

Description of problem:

Since RHEL-8.4 (libreswan-4.3) IKE over TCP is supported. When a default TCP ports are used, it works. But libreswan also supports specifying custom TCP remote port (ephemeral port is used on local side) by using tcp-remoteport= option. Unfortunately, this option does not work, connection cannot be established.

Version-Release number of selected component (if applicable):

libreswan-4.4-1.el8

How reproducible:

100%

Steps to Reproduce:

0. Enable domain_can_mmap_files and nis_enabled selinux booleans.

1. Configure libreswan to use IKE over TCP:

version 2.0

config setup
 plutodebug="all"
 logappend=no
 plutostderrlog="/tmp/pluto.log"
 listen-tcp=yes
 
conn test
 authby=secret
 left=10.0.138.68    # CLIENT
 right=10.0.137.172  # SERVER
 ikev2=insist
 enable-tcp=yes
 tcp-remoteport=4300 # ONLY ON CLIENT

2. Start ipsec service and add 'test' connection on both sides:

# service ipsec start
# ipsec auto --add test

3. Initiate connection on client side:

# ipsec auto --up test

Actual results:

003 ERROR: "test" #1: TCP: connect(25) failed. Errno 111: Connection refused
002 "test" #1: deleting state (STATE_PARENT_I0) aged 0.00294s and NOT
sending notification
002 "test" #1: deleting IKE SA but connection is supposed to remain
up; schedule EVENT_REVIVE_CONNS

Expected results:

Connection can be established and and 4300 port is used for IKE on the server side and ephemeral port on the client side.

Comment 1 Ondrej Moriš 2021-08-02 10:09:37 UTC

FYI, briefly discusses with upstream folks and this issue is also present in upstream and it looks like tcp-remoteport never worked and it might be removed in favour of {left,right}ikeport= options (used only for UDP now).

Comment 6 Ondrej Moriš 2023-01-16 17:48:23 UTC

It turns out that this is actually not a bug but rather a misconfiguration. One needs to use rightikeport=4300 on the opposite side of a connection to make tpc-remoteport=4300 work and with that it works already in libreswan-4.6 present in RHEL-9.0.

Note You need to log in before you can comment on or make changes to this bug.