[strongSwan] Wrong traffic selecting on local side.
Jaehong Park
jaehong.park at illumio.com
Mon Aug 7 17:45:58 CEST 2017
Thanks Tobias.
That make sense a lot.
Here is another question.
If I split these into
Server side ( IP address is 10.6.3.187)
conn tcp_4001
leftsubnet=0.0.0.0/0[6/4001]
conn udp_4001
leftsubnet=0.0.0.0/0[17/4001]
Client side (IP address is 10.6.3.188)
conn 4.10-6-3-187.32.6.4001
esp=sha1-aes256
rightsubnet=10.6.3.187/32[6/4001]
conn 4.10-6-3-187.32.17.4001
esp=sha1-aes256
rightsubnet=10.6.3.187/32[17/4001]
And if I do udp iperf3 testing on port 4001, from client to server
Somehow the all the SA is up and TCP control packets flows but not the UDP data traffic.
Is there a known issue with this configuration with certain kernel that you are aware of?
I am using CentOS 6.6
Thanks.
On Aug 7, 2017, at 2:26 AM, Tobias Brunner <tobias at strongswan.org<mailto:tobias at strongswan.org>> wrote:
Hi Jaehong,
This is the charon.log with debug level 2, when the problem happens.
At the end of selecting ts for us, it picks tcp_udp_4001 instead of
selecting icmp_any.
Is this a bug?
Not really. The tcp_udp_4001 connection allows any protocol, so when
the peer proposes ICMP that's perfectly acceptable. The port 4001 is
interpreted as ICMP type and code in the upper and lower bytes, i.e. 15
and 161, respectively. And this type of narrowing is perfectly fine.
Regards,
Tobias
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170807/68c900db/attachment.html>
More information about the Users
mailing list