[strongSwan] Problem observed during traffic selector narrowing

Patil, Shashidhar 1. (NSN - IN/Bangalore) shashidhar.1.patil at nsn.com
Wed Jun 12 15:20:58 CEST 2013

Hi Martin,
Thanks for the response.
But we have already tried this (%any or omitting the parameter itself) but the result is the same.

Following is curious observation from our side:
If all the three parameters of traffic selectors "IP address range", "protocol range" and "port range" are bigger then tunnel gets established.
The problem arises in the following situations:

s-gw-1 has higher IP address range but its protocol range is smaller and vice versa 


-----Original Message-----
From: ext Martin Willi [mailto:martin at strongswan.org] 
Sent: Tuesday, June 11, 2013 3:40 PM
To: Patil, Shashidhar 1. (NSN - IN/Bangalore)
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] Problem observed during traffic selector narrowing


>   rightprotoport=any
>   leftprotoport=any

That's not a valid configuration, and fails here with:

> # bad protocol: leftprotoport=any
> # bad protocol: rightprotoport=any

If you want to have any protocol/port combination in the traffic
selectors, use "%any", or omit the keyword completely. man ipsec.conf
for details.


More information about the Users mailing list