Hide Forgot
Description of problem: Since RHEL-8.4 (libreswan-4.3) IKE over TCP is supported. When a default TCP ports are used, it works. But libreswan also supports specifying custom TCP remote port (ephemeral port is used on local side) by using tcp-remoteport= option. Unfortunately, this option does not work, connection cannot be established. Version-Release number of selected component (if applicable): libreswan-4.4-1.el8 How reproducible: 100% Steps to Reproduce: 0. Enable domain_can_mmap_files and nis_enabled selinux booleans. 1. Configure libreswan to use IKE over TCP: version 2.0 config setup plutodebug="all" logappend=no plutostderrlog="/tmp/pluto.log" listen-tcp=yes conn test authby=secret left=10.0.138.68 # CLIENT right=10.0.137.172 # SERVER ikev2=insist enable-tcp=yes tcp-remoteport=4300 # ONLY ON CLIENT 2. Start ipsec service and add 'test' connection on both sides: # service ipsec start # ipsec auto --add test 3. Initiate connection on client side: # ipsec auto --up test Actual results: 003 ERROR: "test" #1: TCP: connect(25) failed. Errno 111: Connection refused 002 "test" #1: deleting state (STATE_PARENT_I0) aged 0.00294s and NOT sending notification 002 "test" #1: deleting IKE SA but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS Expected results: Connection can be established and and 4300 port is used for IKE on the server side and ephemeral port on the client side.
FYI, briefly discusses with upstream folks and this issue is also present in upstream and it looks like tcp-remoteport never worked and it might be removed in favour of {left,right}ikeport= options (used only for UDP now).
It turns out that this is actually not a bug but rather a misconfiguration. One needs to use rightikeport=4300 on the opposite side of a connection to make tpc-remoteport=4300 work and with that it works already in libreswan-4.6 present in RHEL-9.0.