Created attachment 12575 [details]
Sample of Endpoint 2's dump that shows the described behavior
Build Information:
Version 1.10.5 (SVNRev 54262 from /trunk-1.10)
Copyright 1998-2013 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with GTK+ 2.24.14, with Cairo 1.10.2, with Pango 1.30.1, with
GLib 2.34.1, with WinPcap (4_1_3), with libz 1.2.5, without POSIX capabilities,
without libnl, with SMI 0.4.8, with c-ares 1.9.1, with Lua 5.1, without Python,
with GnuTLS 2.12.18, with Gcrypt 1.4.6, without Kerberos, with GeoIP, with
PortAudio V19-devel (built Dec 19 2013), with AirPcap.
Running on 64-bit Windows 7 Service Pack 1, build 7601, with WinPcap version
4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch
1_0_rel0b (20091008), GnuTLS 2.12.18, Gcrypt 1.4.6, without AirPcap.
Intel(R) Core(TM) i5-3320M CPU @ 2.60GHz, with 3959MB of physical
memory.
Built using Microsoft Visual C++ 10.0 build 40219
Wireshark is Open Source Software released under the GNU General Public
License.
Check the man page and http://www.wireshark.org for more information.
--
Hello,
I'm working at Ericsson's R&D in Croatia. During the work on one of our
projects we've noticed that IPsec IKEv2 packets, encapsulated in UDP for NAT
traversal, sometimes aren't properly dissected.
I have analysed the problem:
To enable NAT traversal, IPsec ESP and IKE traffic can be encapsulated into
UDP, on port 4500. Even though the UDP encapsulated packets should be sent with
source and destination ports set to 4500, the NAT box can change the source
port in this situation:
*------------* *-----* *------------*
| Endpoint 1 |--| NAT |-----public network-----| Endpoint 2 |
*------------* *-----* *------------*
Endpoint 1 sends packets with source and destination ports 4500.
NAT then changes the source port of the message to P1. Endpoint
2 receives the message and responds to the port P1, with source port set to
4500. NAT changes the destination port P1 of the response to port 4500, and
Endpoint 1 receives packets on 4500.
If we dump packets on Endpoint 1, they will have source and destination ports
4500, and Wireshark will be able to dissect these messages well. However,
Endpoint 2 will see ports P1 and 4500, and Wireshark will have problems with
correct dissection.
Currently, if the port P1 is lower than 4500, and Wireshark recognizes it, the
message won't be recognized as UDP encapsulated.
A sample of Endpoint 2's dump is provided in sample.pcap attachment.
RFC5996 states:
"2.23. NAT Traversal
It is a common practice of NATs to translate TCP and UDP
port numbers as well as addresses and use the port numbers
of inbound packets to decide which internal node should get
a given packet. For this reason, even though IKE packets
MUST be sent to and from UDP port 500 or 4500, they MUST be
accepted coming from any port and responses MUST be sent to
the port from whence they came. This is because the ports
may be modified as the packets pass through NATs."
I have inspected your code and tried to devise a solution. It seems to me that
the least destructive way to try to solve this problem in a clean way is to add
a heuristic dissector for UDP which will detect packets that have at least one
of the UDP ports set to 4500.
Of course, I don't know your architecture well, there might be a better way.
I have implemented that change, tested it with my examples and it works, but
only after enabling UDP heuristic dissectors in preferences.
I have pushed a commit to Gerrit: https://code.wireshark.org/review/#/c/295/1