<div dir="ltr">I am trying to configure IPsec between applications that are sending UDP packets to destination port 10023. The UDP source port is ephemeral. This means that I want strongSwan to install these two simple IPsec policies:<div>
<br></div><div><div><div>src <a href="http://192.168.64.136/32" target="_blank">192.168.64.136/32</a> dst <a href="http://192.168.64.135/32" target="_blank">192.168.64.135/32</a> proto udp dport 10023<br></div><div> dir in priority 3840</div>
<div> tmpl src 0.0.0.0 dst 0.0.0.0<br></div><div> proto esp reqid 1 mode transport</div><div>src <a href="http://192.168.64.135/32" target="_blank">192.168.64.135/32</a> dst <a href="http://192.168.64.136/32" target="_blank">192.168.64.136/32</a> proto udp dport 10023</div>
<div> dir out priority 3840</div><div> tmpl src 0.0.0.0 dst 0.0.0.0<br></div><div> proto esp reqid 1 mode transport</div></div><div><br></div><div>However, I can't figure out how make strongswan to do that. It always installs these 4 policies:</div>
<div><br></div><div>src <a href="http://192.168.64.136/32" target="_blank">192.168.64.136/32</a> dst <a href="http://192.168.64.135/32" target="_blank">192.168.64.135/32</a> proto udp sport 10023 dport 10023</div><div> dir in priority 1792</div>
<div> tmpl src 0.0.0.0 dst 0.0.0.0<br></div><div> proto esp reqid 1 mode transport</div><div>src <a href="http://192.168.64.135/32" target="_blank">192.168.64.135/32</a> dst <a href="http://192.168.64.136/32" target="_blank">192.168.64.136/32</a> proto udp sport 10023 dport 10023</div>
<div> dir out priority 1792</div><div> tmpl src 0.0.0.0 dst 0.0.0.0<br></div><div> proto esp reqid 1 mode transport</div><div>src <a href="http://192.168.64.136/32" target="_blank">192.168.64.136/32</a> dst <a href="http://192.168.64.135/32" target="_blank">192.168.64.135/32</a> proto udp sport 10023</div>
<div> dir in priority 3840</div><div> tmpl src 0.0.0.0 dst 0.0.0.0<br></div><div> proto esp reqid 1 mode transport</div><div>src <a href="http://192.168.64.135/32" target="_blank">192.168.64.135/32</a> dst <a href="http://192.168.64.136/32" target="_blank">192.168.64.136/32</a> proto udp dport 10023</div>
<div> dir out priority 3840</div><div> tmpl src 0.0.0.0 dst 0.0.0.0<br></div><div> proto esp reqid 1 mode transport</div><div><br></div><div><br></div><div>In my ipsec.conf file I simply set lefsubnet=%dynamic[udp] and rightsubnet=%dynamic[udp/10023]. However, that leads to those 4 policies being installed. This leaves a security hole because policy #3 allows compromised peer to send packets to any dport if sport matched to 10023.</div>
<div><br></div><div>How can I make strongSwan to install those two simple IPsec policies that I want?</div><div><br></div><div>Regards,</div><div>Sebastian</div><div><br></div><div><br></div></div></div>