Add local_port and remote_port to VPN: IPsec: Connections [new]

[Monviech]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• [x] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• [x] I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Is your feature request related to a problem? Please describe.

It's for specific situations where UDP 500 for NAT detection in IKEv2 fails. Example: OPNsense is behind a router which NATs. This other router also has an IPSec daemon listening on port UDP 500. The IKE response will always be caught by the router in front of the OPNsense. So Phase 1 will fail because the IKE response packet won't be received by the OPNsense.

Describe the solution you like

I would like local_port and remote_port added to "VPN: IPsec: Connections [new]" in "General settings" of a "Connection" when "advanced mode" is enabled.

If both are set to 4500, the IKE_SA_INIT request will be sent from UDP 4500 to UDP 4500 right away.

https://docs.strongswan.org/docs/5.9/swanctl/swanctlConf.html#_connections

.local_port .remote_port https://docs.strongswan.org/docs/5.9/features/natTraversal.html#_custom_server_ports Thank you very much for reading and considering this feature request. **Describe alternatives you considered** Using IPv6. Sadly it's not always a choice. **Additional context** Here's swanctl connections with Default Port and local/remote port set to 4500 **Default Port (500)** ``` [IKE] initiating IKE_SA site5-to-opn01[135] to 91.XXX.XXX.XXX [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] [NET] sending packet: from 10.169.172.207[500] to 91.XXX.XXX.XXX[500] (464 bytes) [NET] received packet: from 91.XXX.XXX.XXX[500] to 10.169.172.207[500] (472 bytes) [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] [CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 [IKE] local host is behind NAT, sending keep alives [IKE] remote host is behind NAT [IKE] authentication of 'site5.example.com' (myself) with pre-shared key [IKE] establishing CHILD_SA site5{1069} [ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] [NET] sending packet: from 10.169.172.207[4500] to 91.XXX.XXX.XXX[4500] (384 bytes) [NET] received packet: from 91.XXX.XXX.XXX[4500] to 10.169.172.207[4500] (352 bytes) [ENC] parsed IKE_AUTH response 1 [ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ] [IKE] authentication of 'opn01.example.com' with pre-shared key successful [IKE] IKE_SA site5-to-opn01[135] established between 10.169.172.207[site5.example.com]...91.XXX.XXX.XXX[opn01.example.com] [IKE] scheduling rekeying in 1957s [IKE] maximum IKE_SA lifetime 2157s [IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding [CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ [IKE] CHILD_SA site5{1069} established with SPIs c497a2f3_i c6a4e593_o and TS 192.168.208.5/32 === 192.168.100.210/32 initiate completed successfully ``` **local_port and remote_port 4500** ``` [IKE] initiating IKE_SA site5-to-opn01[137] to 91.XXX.XXX.XXX [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] [NET] sending packet: from 10.169.172.207[4500] to 91.XXX.XXX.XXX[4500] (464 bytes) [NET] received packet: from 91.XXX.XXX.XXX[4500] to 10.169.172.207[4500] (472 bytes) [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] [CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048 [IKE] local host is behind NAT, sending keep alives [IKE] remote host is behind NAT [IKE] authentication of 'site5.example.com' (myself) with pre-shared key [IKE] establishing CHILD_SA site5{1071} [ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] [NET] sending packet: from 10.169.172.207[4500] to 91.XXX.XXX.XXX[4500] (384 bytes) [NET] received packet: from 91.XXX.XXX.XXX[4500] to 10.169.172.207[4500] (352 bytes) [ENC] parsed IKE_AUTH response 1 [ IDr AUTH N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ] [IKE] authentication of 'opn01.example.com' with pre-shared key successful [IKE] IKE_SA site5-to-opn01[137] established between 10.169.172.207[site5.example.com]...91.XXX.XXX.XXX[opn01.example.com] [IKE] scheduling rekeying in 1888s [IKE] maximum IKE_SA lifetime 2088s [IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding [CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ [IKE] CHILD_SA site5{1071} established with SPIs cc7c41b7_i ca993715_o and TS 192.168.208.5/32 === 192.168.100.210/32 initiate completed successfully ```

[AdSchellevis]

@Monviech you want to take a stab at this yourself? It shouldn't be too complicated

[Monviech]

@AdSchellevis I think I could try it, I'll just take my time for it. If I can't do it I'll tell you.