[strongSwan] Issue with leftprotoport=0, rightprotoport=0 configuration option in ipsec.conf

Martin Willi martin at strongswan.org
Tue Nov 11 11:57:16 CET 2014

Hi Sumit,

> We have tested this with leftprotoport=0, rightprotoport=0 AND
> leftprotoport=hopopt, rightprotoport=hopopt.

You can't filter extension headers by the IPsec protocol selector; that
selector applies to the protocol field, i.e. the protocol specified in
the last extension header, if present. Please refer to RFC 4301,

>       - Next Layer Protocol: Obtained from the IPv4 "Protocol" or the
>         IPv6 "Next Header" fields.  This is an individual protocol
>         number, ANY, or for IPv6 only, OPAQUE.  The Next Layer Protocol
>         is whatever comes after any IP extension headers that are
>         present.  To simplify locating the Next Layer Protocol, there
>         SHOULD be a mechanism for configuring which IPv6 extension
>         headers to skip.  The default configuration for which protocols
>         to skip SHOULD include the following protocols: 0 (Hop-by-hop
>         options), 43 (Routing Header), 44 (Fragmentation Header), and 60
>         (Destination Options).  Note: The default list does NOT include
>         51 (AH) or 50 (ESP).  From a selector lookup point of view,
>         IPsec treats AH and ESP as Next Layer Protocols.

Further (and for that reason), you can't negotiate protocol "0" as
selector in IKEv2; A protocol of zero means any protocol, refer to RFC
7296 3.13.1:

>    o  IP protocol ID (1 octet) - Value specifying an associated IP
>       protocol ID (such as UDP, TCP, and ICMP).  A value of zero means
>       that the protocol ID is not relevant to this Traffic Selector --
>       the SA can carry all protocols.

> Both ways, setkey entries come with "255" protocol number, and any
> traffic is allowed to be encrypted.

>[any][any] 255

strongSwan installs a zero protocol as "any"; not sure why setkey prints
255 for "any" protocol. I personally prefer the iproute2 "ip" command on


More information about the Users mailing list