Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1989050

Summary: tcp-remoteport does not work
Product: Red Hat Enterprise Linux 8 Reporter: Ondrej Moriš <omoris>
Component: libreswanAssignee: Daiki Ueno <dueno>
Status: CLOSED NOTABUG QA Contact: Ondrej Moriš <omoris>
Severity: unspecified Docs Contact: Mirek Jahoda <mjahoda>
Priority: low    
Version: 8.5Keywords: Triaged
Target Milestone: betaFlags: pm-rhel: mirror+
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
.IKE over TCP connections do not work on custom TCP ports The `tcp-remoteport` Libreswan configuration option does not work properly. Consequently, an IKE over TCP connection cannot be established when a scenario requires specifying a non-default TCP port.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-16 17:48:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ondrej Moriš 2021-08-02 10:03:46 UTC 
Description of problem:

Since RHEL-8.4 (libreswan-4.3) IKE over TCP is supported. When a default TCP ports are used, it works. But libreswan also supports specifying custom TCP remote port (ephemeral port is used on local side) by using tcp-remoteport= option. Unfortunately, this option does not work, connection cannot be established.

Version-Release number of selected component (if applicable):

libreswan-4.4-1.el8

How reproducible:

100%

Steps to Reproduce:

0. Enable domain_can_mmap_files and nis_enabled selinux booleans.

1. Configure libreswan to use IKE over TCP:

version 2.0

config setup
 plutodebug="all"
 logappend=no
 plutostderrlog="/tmp/pluto.log"
 listen-tcp=yes
 
conn test
 authby=secret
 left=10.0.138.68    # CLIENT
 right=10.0.137.172  # SERVER
 ikev2=insist
 enable-tcp=yes
 tcp-remoteport=4300 # ONLY ON CLIENT

2. Start ipsec service and add 'test' connection on both sides:

# service ipsec start
# ipsec auto --add test

3. Initiate connection on client side:

# ipsec auto --up test

Actual results:

003 ERROR: "test" #1: TCP: connect(25) failed. Errno 111: Connection refused
002 "test" #1: deleting state (STATE_PARENT_I0) aged 0.00294s and NOT
sending notification
002 "test" #1: deleting IKE SA but connection is supposed to remain
up; schedule EVENT_REVIVE_CONNS

Expected results:

Connection can be established and and 4300 port is used for IKE on the server side and ephemeral port on the client side.
Comment 1 Ondrej Moriš 2021-08-02 10:09:37 UTC 
FYI, briefly discusses with upstream folks and this issue is also present in upstream and it looks like tcp-remoteport never worked and it might be removed in favour of {left,right}ikeport= options (used only for UDP now).
Comment 6 Ondrej Moriš 2023-01-16 17:48:23 UTC 
It turns out that this is actually not a bug but rather a misconfiguration. One needs to use rightikeport=4300 on the opposite side of a connection to make tpc-remoteport=4300 work and with that it works already in libreswan-4.6 present in RHEL-9.0.