[strongSwan-dev] How to make strongSwan to install kernel IPsec policies that only match on dport?
Sebastian Wurst
wurstsebastian80 at gmail.com
Sun Jul 20 23:19:47 CEST 2014
I am trying to configure IPsec between applications that are sending UDP
packets to destination port 10023. The UDP source port is ephemeral. This
means that I want strongSwan to install these two simple IPsec policies:
src 192.168.64.136/32 dst 192.168.64.135/32 proto udp dport 10023
dir in priority 3840
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 1 mode transport
src 192.168.64.135/32 dst 192.168.64.136/32 proto udp dport 10023
dir out priority 3840
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 1 mode transport
However, I can't figure out how make strongswan to do that. It always
installs these 4 policies:
src 192.168.64.136/32 dst 192.168.64.135/32 proto udp sport 10023 dport
10023
dir in priority 1792
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 1 mode transport
src 192.168.64.135/32 dst 192.168.64.136/32 proto udp sport 10023 dport
10023
dir out priority 1792
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 1 mode transport
src 192.168.64.136/32 dst 192.168.64.135/32 proto udp sport 10023
dir in priority 3840
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 1 mode transport
src 192.168.64.135/32 dst 192.168.64.136/32 proto udp dport 10023
dir out priority 3840
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 1 mode transport
In my ipsec.conf file I simply set lefsubnet=%dynamic[udp] and
rightsubnet=%dynamic[udp/10023]. However, that leads to those 4 policies
being installed. This leaves a security hole because policy #3 allows
compromised peer to send packets to any dport if sport matched to 10023.
How can I make strongSwan to install those two simple IPsec policies that I
want?
Regards,
Sebastian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20140720/b666b8d7/attachment.html>
More information about the Dev
mailing list