Bug 222065

Summary: security/ipsec-tools: racoon initiates phase 1 to wrong port
Product: Ports & Packages Reporter: Aragon Gouveia <aragon>
Component: Individual Port(s)Assignee: VANHULLEBUS Yvan <vanhu>
Status: Closed FIXED    
Severity: Affects Only Me CC: ae, eugen, longwitz, net
Priority: --- Flags: bugzilla: maintainer-feedback? (vanhu)
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
proposed fix none

Description Aragon Gouveia 2017-09-05 10:10:44 UTC 
FreeBSD 11.1-RELEASE

ipsec-tools 0.8.2_2

My SPD:

# setkey -DP
1.2.3.4[1701] 0.0.0.0/0[any] udp
        in ipsec
        esp/transport//require
        spid=25 seq=1 pid=32733 scope=global 
        refcnt=1
0.0.0.0/0[any] 1.2.3.4[1701] udp
        out ipsec
        esp/transport//require
        spid=26 seq=0 pid=32733 scope=global 
        refcnt=1

When I send outbound traffic to 1.2.3.4 UDP port 1701, racoon is notified, but attempts to initiate phase 1 to UDP port 1701!

Sep  5 12:06:09 <daemon.info> roo racoon: INFO: IPsec-SA request for 1.2.3.4 queued due to no phase1 found.
Sep  5 12:06:09 <daemon.info> roo racoon: INFO: initiate new phase 1 negotiation: 197.215.183.141[500]<=>1.2.3.4[1701]
Sep  5 12:06:09 <daemon.info> roo racoon: INFO: begin Aggressive mode.
Sep  5 12:06:41 <daemon.info> roo racoon: [1.2.3.4] ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 1.2.3.4[1701]->197.215.183.141[0] 
Sep  5 12:06:41 <daemon.info> roo racoon: INFO: delete phase 2 handler.
Sep  5 12:06:59 <daemon.info> roo racoon: ERROR: phase1 negotiation failed due to time up. 189c35dfee4f4eac:0000000000000000

If I remove the port specifier from my SPD, then racoon behaves normally (uses port 500).
Comment 1 Eugene Grosbein freebsd_committer freebsd_triage 2018-04-14 12:27:52 UTC 
Let's see maybe ae@ has something to say on this.
Comment 2 longwitz 2018-04-27 14:43:45 UTC 
The problem in this bug report may be the same as described in
   https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192774#c4
Comment 3 Eugene Grosbein freebsd_committer freebsd_triage 2018-04-27 15:42:00 UTC 
Created attachment 192849 [details]
proposed fix

Dear submitter, please save attached patch as /usr/ports/security/ipsec-tools/patch-isakmpinit and rebuild and reinstall the port to see if it solves your problem.
Comment 4 Eugene Grosbein freebsd_committer freebsd_triage 2018-04-27 16:08:52 UTC 
(In reply to Eugene Grosbein from comment #3)

Sorry, correct patch should be /usr/ports/security/ipsec-tools/files/patch-isakmpinit
Comment 5 longwitz 2018-04-27 22:22:36 UTC 
I can report that your proposed fix patch-isakmpinit works correct in the situation I have described in Bug 192774. If this patch will be committed I will use it instead of my simple workaround in pfkey.c.
Comment 6 commit-hook freebsd_committer freebsd_triage 2018-04-29 10:00:37 UTC 
A commit references this bug:

Author: eugen
Date: Sun Apr 29 10:00:02 UTC 2018
New revision: 468617
URL: https://svnweb.freebsd.org/changeset/ports/468617

Log:
  Fix phase 1 initiation in the racoon daemon after base system change r285204

  PR:		192774, 222065
  Submitted by:	Andreas Longwitz <longwitz@incore.de>
  Approved by:	VANHULLEBUS Yvan (maintainer, implicitly)

Changes:
  head/security/ipsec-tools/Makefile
  head/security/ipsec-tools/files/patch-isakmpinit