[strongSwan] Wrong traffic selecting on local side.
Jaehong Park
jaehong.park at illumio.com
Sun Aug 6 17:07:09 CEST 2017
Hi Tobias.
I have following server side StrongSwan configuration(transport mode) and found strange behavior.
conn tcp_udp_4001
leftsubnet=0.0.0.0/0[%any/4001]
conn icmp_any
leftsubnet=0.0.0.0/0[1/%any]
And if a peer (10.6.3.185) do ping, I am expecting it bring up Child SA properly on conn icmp_any but it is not.
This is the charon.log with debug level 2, when the problem happens.
At the end of selecting ts for us, it picks tcp_udp_4001 instead of selecting icmp_any.
Is this a bug?
looking for a child config for 10.6.3.187/32[icmp] === 10.6.3.185/32[icmp]
2017-08-06T08:02:13-0700 11[CFG] proposing traffic selectors for us:
2017-08-06T08:02:13-0700 11[CFG] 0.0.0.0/0[newoak]
2017-08-06T08:02:13-0700 11[CFG] proposing traffic selectors for other:
2017-08-06T08:02:13-0700 11[CFG] 10.6.3.185/32
2017-08-06T08:02:13-0700 11[CFG] candidate "tcp_udp_4001" with prio 1+1
2017-08-06T08:02:13-0700 11[CFG] proposing traffic selectors for us:
2017-08-06T08:02:13-0700 11[CFG] 0.0.0.0/0[icmp]
2017-08-06T08:02:13-0700 11[CFG] proposing traffic selectors for other:
2017-08-06T08:02:13-0700 11[CFG] 10.6.3.185/32
2017-08-06T08:02:13-0700 11[CFG] candidate "icmp_any" with prio 1+1
2017-08-06T08:02:13-0700 11[CFG] found matching child config "tcp_udp_4001" with prio 2
2017-08-06T08:02:13-0700 11[CFG] selecting traffic selectors for other:
2017-08-06T08:02:13-0700 11[CFG] config: 10.6.3.185/32, received: 10.6.3.185/32[icmp] => match: 10.6.3.185/32[icmp]
2017-08-06T08:02:13-0700 11[CFG] selecting traffic selectors for us:
2017-08-06T08:02:13-0700 11[CFG] config: 0.0.0.0/0[newoak], received: 10.6.3.187/32[icmp] => match: 10.6.3.187/32[icmp/15(161)]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170806/993bcb03/attachment.html>
More information about the Users
mailing list