[strongSwan] Issue with leftprotoport=0, rightprotoport=0 configuration option in ipsec.conf

Kaur, Sumit (NSN - IN/Bangalore) sumit.kaur at nsn.com
Tue Nov 11 11:23:03 CET 2014 

Hi,

leftprotoport=0 and rightprotoport=0 IPSec rule configuration in ipsec.conf file is seen as protocol number "255" in setkey -DP output, which is taken as for any protocol.

As per /etc/protocols  -  '0'  corresponds to hopopt.

      hopopt  0       HOPOPT          # hop-by-hop options for ipv6

The above is in line with the IANA protocol number assignments :  http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

0       HOPOPT  IPv6 Hop-by-Hop Option  Y       [RFC2460<http://www.iana.org/go/rfc2460>]


We have tested this with leftprotoport=0, rightprotoport=0 AND leftprotoport=hopopt, rightprotoport=hopopt. Both ways, setkey entries come with "255" protocol number, and any traffic is allowed to be encrypted.

conn r3~v1
        rekeymargin=50
        rekeyfuzz=100%
        left=10.43.4.171
        right=10.63.20.123
        leftsubnet=14.14.14.14/32
        rightsubnet=15.15.15.15/32
        leftprotoport=0
        rightprotoport=0
        authby=secret
        leftid=10.43.4.171
        rightid=%any
        ike=aes128-sha1-modp1024!
        esp=aes128-sha1!
        type=tunnel
        ikelifetime=1000s
        keylife=500s
        dpdaction=restart
        dpddelay=20
        mobike=no
        auto=route
        reauth=no

Or

conn r3~v1
        rekeymargin=50
        rekeyfuzz=100%
        left=10.43.4.171
        right=10.63.20.123
        leftsubnet=14.14.14.14/32
        rightsubnet=15.15.15.15/32
        leftprotoport=hopopt
        rightprotoport=hopopt
        authby=secret
        leftid=10.43.4.171
        rightid=%any
        ike=aes128-sha1-modp1024!
        esp=aes128-sha1!
        type=tunnel
        ikelifetime=1000s
        keylife=500s
        dpdaction=restart
        dpddelay=20
        mobike=no
        auto=route
        reauth=no


setkey -DP output
-----------------------

15.15.15.15[any] 14.14.14.14[any] 255
        fwd prio high + 1073739144 ipsec
        esp/tunnel/10.63.20.123-10.43.4.171/unique:3
        created: Nov 11 14:48:34 2014  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=8994 seq=10 pid=26959
        refcnt=1
15.15.15.15[any] 14.14.14.14[any] 255
        in prio high + 1073739144 ipsec
        esp/tunnel/10.63.20.123-10.43.4.171/unique:3
        created: Nov 11 14:48:34 2014  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=8984 seq=11 pid=26959
        refcnt=1
14.14.14.14[any] 15.15.15.15[any] 255
        out prio high + 1073739144 ipsec
        esp/tunnel/10.43.4.171-10.63.20.123/unique:3
        created: Nov 11 14:48:34 2014  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=8977 seq=12 pid=26959
        refcnt=1


Does someone has any inputs regarding above?

Thanks
Sumit


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20141111/8f4248b9/attachment.html>

More information about the Users mailing list