git.ipfire.org Git - thirdparty/strongswan.git/commit

author	michael-dev <michael-dev@fami-braun.de>
	Mon, 10 Feb 2025 12:36:34 +0000 (13:36 +0100)
committer	Tobias Brunner <tobias@strongswan.org>
	Fri, 28 Feb 2025 15:25:32 +0000 (16:25 +0100)
commit	bff500dfd0ec75d3b336cd69b3040001f215569a
tree	30dad0fdfd4c0b061898de4fadc18561451da221	tree
parent	882b19c1df04c3cf1fbdcf319aa53e1450c2d019	commit \| diff

ike-natd: Float to the NAT-T port early when not connecting to port 500

When using port 4500 for IKE_SA_INIT, Windows Server 2016, 2025 and
possibly others send back all packets to the port initially used by the
client, not the one floated to before sending IKE_AUTH. So if UDP
encapsulation is used, no traffic can be received as the initial socket
can't have UDP decapsulation enabled.

tcpdump output:
```
IP <client-ip>.47547 > <server-ip>.4500: UDP-encap: ESP(spi=0xfd4e5fc2,seq=...)
IP <server-ip>.4500 > <client-ip>.57962: UDP-encap: ESP(spi=0xccc5e213,seq=...)
```

Avoid this by floating early if a non-default destination port is used.
This also ensures we don't send packets from port 500 (without non-ESP
marker) if ephemeral source ports are not used.

Closes strongswan/strongswan#2664

Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
Co-authored-by: Tobias Brunner <tobias@strongswan.org>