[strongSwan] Issue with leftprotoport=0, rightprotoport=0 configuration option in ipsec.conf
Martin Willi
martin at strongswan.org
Tue Nov 11 11:57:16 CET 2014
Hi Sumit,
> We have tested this with leftprotoport=0, rightprotoport=0 AND
> leftprotoport=hopopt, rightprotoport=hopopt.
You can't filter extension headers by the IPsec protocol selector; that
selector applies to the protocol field, i.e. the protocol specified in
the last extension header, if present. Please refer to RFC 4301,
4.4.1.1:
> - Next Layer Protocol: Obtained from the IPv4 "Protocol" or the
> IPv6 "Next Header" fields. This is an individual protocol
> number, ANY, or for IPv6 only, OPAQUE. The Next Layer Protocol
> is whatever comes after any IP extension headers that are
> present. To simplify locating the Next Layer Protocol, there
> SHOULD be a mechanism for configuring which IPv6 extension
> headers to skip. The default configuration for which protocols
> to skip SHOULD include the following protocols: 0 (Hop-by-hop
> options), 43 (Routing Header), 44 (Fragmentation Header), and 60
> (Destination Options). Note: The default list does NOT include
> 51 (AH) or 50 (ESP). From a selector lookup point of view,
> IPsec treats AH and ESP as Next Layer Protocols.
Further (and for that reason), you can't negotiate protocol "0" as
selector in IKEv2; A protocol of zero means any protocol, refer to RFC
7296 3.13.1:
> o IP protocol ID (1 octet) - Value specifying an associated IP
> protocol ID (such as UDP, TCP, and ICMP). A value of zero means
> that the protocol ID is not relevant to this Traffic Selector --
> the SA can carry all protocols.
> Both ways, setkey entries come with "255" protocol number, and any
> traffic is allowed to be encrypted.
> 15.15.15.15[any] 14.14.14.14[any] 255
strongSwan installs a zero protocol as "any"; not sure why setkey prints
255 for "any" protocol. I personally prefer the iproute2 "ip" command on
Linux.
Regards
Martin
More information about the Users
mailing list