[strongSwan] ip xfrm policy result of transport mode

Nimo gnimozyu at gmail.com
Wed Dec 20 11:32:58 CET 2017 

Hello,

I'm using transport mode with strongSwan 5.3.5. It works fine , but result
of 'ip xfrm policy' may be somehing wrong.

1) I configure strongSwan-1 and stronSwan-2 as below. Then I execute 'ip
xfrm policy', the result was "[strongSwan's result]" in below.
2) I launched iPhone's L2TP to strongSwan-1. Then the 'ip xfrm policy'
showed "[iPhone result]"

Difference between above two is number of sport/dport.
Could you please tell me strongSwan-2 configuration to match iPhone's
result ?


strongSwan-1
----------------------------------------------
[ipsec.conf]
conn L2TP
        left=1.1.1.254
        authby=secret
        auto=add
        keyingtries=3
        keyexchange=ikev1
        rekey=yes
        ike=3des-sha1-modp1024,aes128-sha1,aes256-sha1
        dpddelay=10
        dpdtimeout=90
        dpdaction=clear
        ikelifetime=8h
        keylife=1h
        type=transport
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any

[ipsec.secrets]
1.1.1.254 %any : PSK "password"

strongSwan-2
----------------------------------------------
[ipsec.conf]
conn client
        authby          = secret
        keyexchange     = ikev1
        rekey           = no
        keyingtries     = 3
        type            = transport
        right           = 1.1.1.254
        left            = %defaultroute
        auto            = start
        leftprotoport   = 17/%any
        rightprotoport  = 17/1701


[ipsec.secrets]
1.1.1.254 : PSK "password"


----------------------------------------------
[strongSwan's result]
# ip xfrm policy
src 1.1.1.254/32 dst 172.16.14.100/32 proto udp sport 1701
        dir in priority 2816 ptype main
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 1 mode transport
src 172.16.14.100/32 dst 1.1.1.254/32 proto udp dport 1701
        dir out priority 2816 ptype main
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 1 mode transport
src 0.0.0.0/0 dst 0.0.0.0/0
   .....


----------------------------------------------
[iPhone result]
[TEST-L2TP] ~ # ip xfrm policy | less
src 1.1.1.1/32 dst 1.1.1.254/32 proto udp sport 1024 dport 1701
        dir in priority 2816 ptype main
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 1 mode transport
src 1.1.1.254/32 dst 1.1.1.1/32 proto udp sport 1701 dport 1024
        dir out priority 2816 ptype main
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 1 mode transport
src 0.0.0.0/0 dst 0.0.0.0/0
  ....

thank you,
---
takumi kadode
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20171220/58f09fe5/attachment.html>

More information about the Users mailing list