[strongSwan] Traffic Selector problem when using IKEv2 IPV6

[Tobias Brunner]

Hi Eric,

> However, when I specify a port value in the protoport designations (E.g.
> leftprotoport=tcp/0 + rightprotoport=tcp/3260 OR leftprotoport=6/0 +
> rightprotoport=6/3260 OR leftprotoport=tcp/any +
> rightprotoport=tcp/3260), the IKE authentication fails due to a traffic
> selector mismatch.  When I use any of the previous conventions the
> traffic selectors appear as the following on the remote peer:
> 
> Find a rule matching the first traffic selectors of:
> TS_r=ipv6(tcp:3260,fc00:2518::10:125:56:16),ipv6(tcp:3260,fc00:2518::10:125:56:16)
> and
> *_TS_i_*=ipv6(tcp,fc00:2518::221:9bff:fe98:854b),ipv6(*_tcp,fc00:2518::221:9bff:fe98:854b_*)
> 
> In this case, the traffic selectors from the Strongswan host appear to
> be sending tcp,fc00:2518::221:9bff:fe98:854b.  Which do not appear fine
> since I specified the port values in the protoport designations.  In
> fact they appear to be exactly the same as when I didnät specify the
> port values in the protoport designations.

Hm, no you actually didn't specify a port value in the leftprotoport
option (i.e. TSi).  Specifying leftprotoport=tcp/%any or tcp/0 means you
don't want to restrict the traffic to a specific port, which is the same
as specifying just leftprotoport=tcp.  On the wire this part of the
traffic selector is encoded as a range of accepted port values (i.e.
0-65535).  The responder is then free to narrow this range to a specific
port (i.e. with rightprotoport) or a smaller range (can't be configure
in ipsec.conf yet) if it likes to do so.

> So I guess the question is why are the port values from the Strongswan
> host not being presented to the remote peer?

The port you actually specified (3260) is sent to the remote host (as
part of TSr, which is what rightprotoport configures), right?

So, what is it you expected to happen differently here?

Regards,
Tobias