<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<font face="Calibri" size="2"><span style="font-size:11pt;">
<div>Hi,</div>
<div> </div>
<div>leftprotoport=0 and rightprotoport=0 IPSec rule configuration in ipsec.conf file is seen as protocol number “255” in setkey –DP output, which is taken as for <b><i>any</i></b> protocol.</div>
<div> </div>
<div>As per /etc/protocols  -  <b><i>‘</i></b><b><i>0</i></b><b><i>’</i></b>  corresponds to <b><i>hopopt</i></b><b><i>.</i></b></div>
<div> </div>
<div>      hopopt  0       HOPOPT          # hop-by-hop options for ipv6 </div>
<div> </div>
<div>The above is in line with the IANA protocol number assignments :  <a href="http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml"><font color="blue"><u>http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml</u></font></a></div>
<div> </div>
<table width="368" style="width:220.8pt;margin-left:3.15pt;">
<col width="15" style="width:9.35pt;">
<col width="68" style="width:41.15pt;">
<col width="187" style="width:112.2pt;">
<col width="14" style="width:8.4pt;">
<col width="82" style="width:49.7pt;">
<tr>
<td align="center" style="text-align:center;">0</td>
<td>HOPOPT</td>
<td>IPv6 Hop-by-Hop Option</td>
<td align="center" style="text-align:center;">Y</td>
<td>[<a href="http://www.iana.org/go/rfc2460"><font color="blue"><u>RFC2460</u></font></a>]</td>
</tr>
</table>
<div> </div>
<div> </div>
<div>We have tested this with leftprotoport=0, rightprotoport=0 AND leftprotoport=hopopt, rightprotoport=hopopt. Both ways, setkey entries come with “255” protocol number, and any traffic is allowed to be encrypted.</div>
<div> </div>
<div>conn r3~v1</div>
<div>        rekeymargin=50</div>
<div>        rekeyfuzz=100%</div>
<div>        left=10.43.4.171</div>
<div>        right=10.63.20.123</div>
<div>        leftsubnet=14.14.14.14/32</div>
<div>        rightsubnet=15.15.15.15/32</div>
<div>        <span style="background-color:yellow;">leftprotoport=</span><span style="background-color:yellow;">0</span></div>
<div><span style="background-color:yellow;">        rightprotoport=</span><span style="background-color:yellow;">0</span></div>
<div>        authby=secret</div>
<div>        leftid=10.43.4.171</div>
<div>        rightid=%any</div>
<div>        ike=aes128-sha1-modp1024!</div>
<div>        esp=aes128-sha1!</div>
<div>        type=tunnel</div>
<div>        ikelifetime=1000s</div>
<div>        keylife=500s</div>
<div>        dpdaction=restart</div>
<div>        dpddelay=20</div>
<div>        mobike=no</div>
<div>        auto=route</div>
<div>        reauth=no</div>
<div> </div>
<div>Or</div>
<div> </div>
<div>conn r3~v1</div>
<div>        rekeymargin=50</div>
<div>        rekeyfuzz=100%</div>
<div>        left=10.43.4.171</div>
<div>        right=10.63.20.123</div>
<div>        leftsubnet=14.14.14.14/32</div>
<div>        rightsubnet=15.15.15.15/32</div>
<div>        <span style="background-color:yellow;">leftprotoport=hopopt</span></div>
<div><span style="background-color:yellow;">        rightprotoport=hopopt</span></div>
<div>        authby=secret</div>
<div>        leftid=10.43.4.171</div>
<div>        rightid=%any</div>
<div>        ike=aes128-sha1-modp1024!</div>
<div>        esp=aes128-sha1!</div>
<div>        type=tunnel</div>
<div>        ikelifetime=1000s</div>
<div>        keylife=500s</div>
<div>        dpdaction=restart</div>
<div>        dpddelay=20</div>
<div>        mobike=no</div>
<div>        auto=route</div>
<div>        reauth=no</div>
<div> </div>
<div> </div>
<div>setkey –DP output</div>
<div>-----------------------</div>
<div> </div>
<div>15.15.15.15[any] 14.14.14.14[any] <span style="background-color:yellow;">255</span></div>
<div>        fwd prio high + 1073739144 ipsec</div>
<div>        esp/tunnel/10.63.20.123-10.43.4.171/unique:3</div>
<div>        created: Nov 11 14:48:34 2014  lastused:</div>
<div>        lifetime: 0(s) validtime: 0(s)</div>
<div>        spid=8994 seq=10 pid=26959</div>
<div>        refcnt=1</div>
<div>15.15.15.15[any] 14.14.14.14[any] <span style="background-color:yellow;">255</span></div>
<div>        in prio high + 1073739144 ipsec</div>
<div>        esp/tunnel/10.63.20.123-10.43.4.171/unique:3</div>
<div>        created: Nov 11 14:48:34 2014  lastused:</div>
<div>        lifetime: 0(s) validtime: 0(s)</div>
<div>        spid=8984 seq=11 pid=26959</div>
<div>        refcnt=1</div>
<div>14.14.14.14[any] 15.15.15.15[any] <span style="background-color:yellow;">255</span></div>
<div>        out prio high + 1073739144 ipsec</div>
<div>        esp/tunnel/10.43.4.171-10.63.20.123/unique:3</div>
<div>        created: Nov 11 14:48:34 2014  lastused:</div>
<div>        lifetime: 0(s) validtime: 0(s)</div>
<div>        spid=8977 seq=12 pid=26959</div>
<div>        refcnt=1</div>
<div> </div>
<div> </div>
<div>Does someone has any inputs regarding above?</div>
<div> </div>
<div>Thanks</div>
<div>Sumit</div>
<div> </div>
<div> </div>
</span></font>
</body>
</html>