[strongSwan-dev] How to make strongSwan to install kernel IPsec policies that only match on dport?

Martin Willi martin at strongswan.org
Mon Jul 21 11:36:35 CEST 2014

Hi Sebastian,

> I am trying to configure IPsec between applications that are sending
> UDP packets to destination port 10023. The UDP source port is
> ephemeral. In my ipsec.conf file I simply set lefsubnet=%dynamic[udp]
> and rightsubnet=%dynamic[udp/10023].

And how does your peers configuration look like? Who initiates the
tunnel? Most likely you have two CHILD_SAs established, resulting in
four XFRM policies.

> This leaves a security hole because policy #3 allows compromised peer
> to send packets to any dport if sport matched to 10023.

AFAICS, this is exactly what your configuration defines; any local UDP
port (leftsubnet=%dynamic[udp]), and remote port 10023

The IKE protocol does not allow you to exchange policies matching source
or destination ports; it only knows local or remote ports to match
bi-directional flows. Refer to [1] for details.

> How can I make strongSwan to install those two simple IPsec policies
> that I want?

If both ends have to send traffic to the others UDP port 10023, this
can't work. You can allow both a any<->10023 and a 10023<->any policy;
but this implies that the peer can initiate UDP connections from its
port 10023 to any of your local ports. This is what your policy allows.

If you want to limit connection initiation to destination port 10023,
you'd additionally need some Conntrack aware Netfilter rules.



More information about the Dev mailing list