Bug 222065 - security/ipsec-tools: racoon initiates phase 1 to wrong port
Summary: security/ipsec-tools: racoon initiates phase 1 to wrong port
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: VANHULLEBUS Yvan
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-05 10:10 UTC by Aragon Gouveia
Modified: 2018-04-29 10:02 UTC (History)
4 users (show)

See Also:
bugzilla: maintainer-feedback? (vanhu)

Attachments
proposed fix (2.23 KB, patch)
2018-04-27 15:42 UTC, Eugene Grosbein 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Aragon Gouveia 2017-09-05 10:10:44 UTC 
FreeBSD 11.1-RELEASE

ipsec-tools 0.8.2_2

My SPD:

# setkey -DP
1.2.3.4[1701] 0.0.0.0/0[any] udp
        in ipsec
        esp/transport//require
        spid=25 seq=1 pid=32733 scope=global 
        refcnt=1
0.0.0.0/0[any] 1.2.3.4[1701] udp
        out ipsec
        esp/transport//require
        spid=26 seq=0 pid=32733 scope=global 
        refcnt=1

When I send outbound traffic to 1.2.3.4 UDP port 1701, racoon is notified, but attempts to initiate phase 1 to UDP port 1701!

Sep  5 12:06:09 <daemon.info> roo racoon: INFO: IPsec-SA request for 1.2.3.4 queued due to no phase1 found.
Sep  5 12:06:09 <daemon.info> roo racoon: INFO: initiate new phase 1 negotiation: 197.215.183.141[500]<=>1.2.3.4[1701]
Sep  5 12:06:09 <daemon.info> roo racoon: INFO: begin Aggressive mode.
Sep  5 12:06:41 <daemon.info> roo racoon: [1.2.3.4] ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 1.2.3.4[1701]->197.215.183.141[0] 
Sep  5 12:06:41 <daemon.info> roo racoon: INFO: delete phase 2 handler.
Sep  5 12:06:59 <daemon.info> roo racoon: ERROR: phase1 negotiation failed due to time up. 189c35dfee4f4eac:0000000000000000

If I remove the port specifier from my SPD, then racoon behaves normally (uses port 500).
Comment 1 Eugene Grosbein freebsd_committer freebsd_triage 2018-04-14 12:27:52 UTC 
Let's see maybe ae@ has something to say on this.
Comment 2 longwitz 2018-04-27 14:43:45 UTC 
The problem in this bug report may be the same as described in
   https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192774#c4
Comment 3 Eugene Grosbein freebsd_committer freebsd_triage 2018-04-27 15:42:00 UTC 
Created attachment 192849 [details]
proposed fix

Dear submitter, please save attached patch as /usr/ports/security/ipsec-tools/patch-isakmpinit and rebuild and reinstall the port to see if it solves your problem.
Comment 4 Eugene Grosbein freebsd_committer freebsd_triage 2018-04-27 16:08:52 UTC 
(In reply to Eugene Grosbein from comment #3)

Sorry, correct patch should be /usr/ports/security/ipsec-tools/files/patch-isakmpinit
Comment 5 longwitz 2018-04-27 22:22:36 UTC 
I can report that your proposed fix patch-isakmpinit works correct in the situation I have described in Bug 192774. If this patch will be committed I will use it instead of my simple workaround in pfkey.c.
Comment 6 commit-hook freebsd_committer freebsd_triage 2018-04-29 10:00:37 UTC 
A commit references this bug:

Author: eugen
Date: Sun Apr 29 10:00:02 UTC 2018
New revision: 468617
URL: https://svnweb.freebsd.org/changeset/ports/468617

Log:
  Fix phase 1 initiation in the racoon daemon after base system change r285204

  PR:		192774, 222065
  Submitted by:	Andreas Longwitz <longwitz@incore.de>
  Approved by:	VANHULLEBUS Yvan (maintainer, implicitly)

Changes:
  head/security/ipsec-tools/Makefile
  head/security/ipsec-tools/files/patch-isakmpinit