[strongSwan] Problem with transport mode and xfrm selector restricting traffic

Brad Johnson bjohnson at ecessa.com
Tue May 13 20:09:22 CEST 2014 

We use a transport type connection to send PPP traffic (so a ppp tunnel 
inside the VPN). The problem we are having is the xfrm states that get 
created have selectors restricting the traffic to the left and right IP 
addresses. So for example, a ping from one ppp tunnel endpoint to the 
other tunnel endpoint gets dropped on the receiving end. After some 
kernel debugging it appears the problem is related to the incoming 
packet being decoded multiple times, first handling the GRE protocol and 
then the ESP decoding, then finally the IP packet (ping) itself. At that 
point it appears to match xfrm policies and states when it shouldn't and 
gets dropped. It seems the packet retains some state from when it first 
came in as GRE.
My question is, how can I configure strongswan to create transport type 
xfrm states without the additional traffic selectors?

Here's the configs at the two sites:

conn Site1
     left=10.1.1.2
     right=10.1.3.2
     auto=start
     type=transport
     keyingtries=%forever
     leftauth=psk
     rightauth=psk
     ikelifetime=8h
     ike=aes256-sha1-modp1536
     esp=aes256-sha1

conn Site2
     left=10.1.3.2
     right=10.1.1.2
     auto=start
     type=transport
     keyingtries=%forever
     leftauth=psk
     rightauth=psk
     ikelifetime=8h
     ike=aes256-sha1-modp1536
     esp=aes256-sha1

And it results in the following xfrm states (notice the selectors):
# ip x s
src 10.1.3.2 dst 10.1.1.2
     proto esp spi 0xc30c3862 reqid 5 mode transport
     replay-window 32
     auth-trunc hmac(sha1) 0x437e81338a9b43361dd42c51485050b5f4d88fa9 96
     enc cbc(aes) 
0x172d25628008facaa7361830d114215fb9fab8043219b3d49f0aca1c91c24aba
     sel src 10.1.3.2/32 dst 10.1.1.2/32
src 10.1.1.2 dst 10.1.3.2
     proto esp spi 0xc957f846 reqid 5 mode transport
     replay-window 32
     auth-trunc hmac(sha1) 0x3d6b0f4041d7e564ce3bef44ce1281e43d4b5825 96
     enc cbc(aes) 
0x7c4753f75e2a96c6fb1e7b75826c37a551900dd2e53b52971ea9319e3b620944
     sel src 10.1.1.2/32 dst 10.1.3.2/32


Thanks in advance for the help,
Brad Johnson

More information about the Users mailing list