RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1989050 - tcp-remoteport does not work
Summary: tcp-remoteport does not work
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: libreswan
Version: 8.5
Hardware: All
OS: Linux
Target Milestone: beta
: ---
Assignee: Daiki Ueno
QA Contact: Ondrej Moriš
Mirek Jahoda
Depends On:
TreeView+ depends on / blocked
Reported: 2021-08-02 10:03 UTC by Ondrej Moriš
Modified: 2023-01-16 17:48 UTC (History)
0 users

Fixed In Version:
Doc Type: Known Issue
Doc Text:
.IKE over TCP connections do not work on custom TCP ports The `tcp-remoteport` Libreswan configuration option does not work properly. Consequently, an IKE over TCP connection cannot be established when a scenario requires specifying a non-default TCP port.
Clone Of:
Last Closed: 2023-01-16 17:48:23 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker CRYPTO-9230 0 None None None 2023-01-03 07:34:51 UTC
Red Hat Issue Tracker RHELPLAN-91836 0 None None None 2021-08-02 10:06:16 UTC

Description Ondrej Moriš 2021-08-02 10:03:46 UTC
Description of problem:

Since RHEL-8.4 (libreswan-4.3) IKE over TCP is supported. When a default TCP ports are used, it works. But libreswan also supports specifying custom TCP remote port (ephemeral port is used on local side) by using tcp-remoteport= option. Unfortunately, this option does not work, connection cannot be established.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:

0. Enable domain_can_mmap_files and nis_enabled selinux booleans.

1. Configure libreswan to use IKE over TCP:

version 2.0

config setup
conn test
 left=    # CLIENT
 right=  # SERVER
 tcp-remoteport=4300 # ONLY ON CLIENT

2. Start ipsec service and add 'test' connection on both sides:

# service ipsec start
# ipsec auto --add test

3. Initiate connection on client side:

# ipsec auto --up test

Actual results:

003 ERROR: "test" #1: TCP: connect(25) failed. Errno 111: Connection refused
002 "test" #1: deleting state (STATE_PARENT_I0) aged 0.00294s and NOT
sending notification
002 "test" #1: deleting IKE SA but connection is supposed to remain

Expected results:

Connection can be established and and 4300 port is used for IKE on the server side and ephemeral port on the client side.

Comment 1 Ondrej Moriš 2021-08-02 10:09:37 UTC
FYI, briefly discusses with upstream folks and this issue is also present in upstream and it looks like tcp-remoteport never worked and it might be removed in favour of {left,right}ikeport= options (used only for UDP now).

Comment 6 Ondrej Moriš 2023-01-16 17:48:23 UTC
It turns out that this is actually not a bug but rather a misconfiguration. One needs to use rightikeport=4300 on the opposite side of a connection to make tpc-remoteport=4300 work and with that it works already in libreswan-4.6 present in RHEL-9.0.

Note You need to log in before you can comment on or make changes to this bug.