[strongSwan] ip xfrm policy result of transport mode

Nimo gnimozyu at gmail.com
Sun Jan 14 14:01:16 CET 2018 

Hello Noel,

I re-build test environment as below.

IPsec and L2TP were establised, and ping was sucess in PPP.
Then I executed "ipsec statusall" and "swanctl -l" as below. It seems not
to show client source port.

Could you please check my ipsec.conf ?


[test environment]
L2TP client(192.168.40.1) --- NAT-device(1.1.1.1) --- L2TP server(1.1.1.254)


L2TP server

[ipsec.conf]
------------------------------------------------
conn L2TP-PSK-noNAT
        authby=secret
        auto=add
        keyingtries=3
        keyexchange=ikev1
        rekey=yes
        ike=3des-sha1-modp1024,aes128-sha1,aes256-sha1
        dpddelay=10
        dpdtimeout=90
        dpdaction=clear
        ikelifetime=8h
        keylife=1h
        type=transport
        leftprotoport=17/1701
        right=%any
        rightprotoport=17/%any

conn L2TP-PSK-NAT-eth0-1.1.1.254
        left=1.1.1.254
        also=L2TP-PSK-noNAT


[ipsec.secrets]
------------------------------------------------
1.1.1.254 %any : PSK "password"



L2TP client

[ipsec.conf]
------------------------------------------------
conn l2tpclient_common
        authby          = secret
        keyexchange     = ikev1
        rekey           = no
        keyingtries     = 3
        type            = transport
        right           = 1.1.1.254
        leftprotoport   = 17/%any
        rightprotoport  = 17/1701
        auto=add


conn l2tpclient_test001
        left            = 192.168.40.1
        also            = l2tpclient_common


[ipsec.secrets]
------------------------------------------------
: PSK "password"



[Result]
[TEST-SERVER] ~ # ipsec status
Security Associations (1 up, 0 connecting):
L2TP-PSK-NAT-eth0-1.1.1.254[15]: ESTABLISHED 18 seconds ago,
1.1.1.254[1.1.1.254]...1.1.1.1[192.168.40.1]
L2TP-PSK-NAT-eth0-1.1.1.254{24}:  INSTALLED, TRANSPORT, reqid 15, ESP in
UDP SPIs: c8fb8615_i ce0463aa_o
L2TP-PSK-NAT-eth0-1.1.1.254{24}:   1.1.1.254/32[udp/l2f] === 1.1.1.1/32[udp]

[TEST-SERVER] ~ # ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 3.10.104, x86_64):
  uptime: 5 hours, since Jan 14 16:35:57 2018
  malloc: sbrk 1486848, mmap 0, used 426528, free 1060320
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 36
  loaded plugins: charon aes des rc2 sha1 sha2 md4 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve
socket-default connmark farp stroke vici updown eap-identity eap-aka
eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic
xauth-eap xauth-pam xauth-noauth lookip error-notify unity
Listening IP addresses:
  1.1.1.254
  10.0.0.1
  192.168.122.55
  10.0.0.1
Connections:
L2TP-PSK-noNAT:  %any...%any  IKEv1, dpddelay=10s
L2TP-PSK-noNAT:   local:  uses pre-shared key authentication
L2TP-PSK-noNAT:   remote: uses pre-shared key authentication
L2TP-PSK-noNAT:   child:  dynamic[udp/l2f] === dynamic[udp] TRANSPORT,
dpdaction=clear
L2TP-PSK-NAT-eth0-1.1.1.254:  1.1.1.254...%any  IKEv1, dpddelay=10s
L2TP-PSK-NAT-eth0-1.1.1.254:   local:  [1.1.1.254] uses pre-shared key
authentication
L2TP-PSK-NAT-eth0-1.1.1.254:   remote: uses pre-shared key authentication
L2TP-PSK-NAT-eth0-1.1.1.254:   child:  dynamic[udp/l2f] === dynamic[udp]
TRANSPORT, dpdaction=clear
Security Associations (1 up, 0 connecting):
L2TP-PSK-NAT-eth0-1.1.1.254[15]: ESTABLISHED 26 seconds ago,
1.1.1.254[1.1.1.254]...1.1.1.1[192.168.40.1]
L2TP-PSK-NAT-eth0-1.1.1.254[15]: IKEv1 SPIs: 51f81eb78e516dd3_i
a019b05746e13729_r*, pre-shared key reauthentication in 7 hours
L2TP-PSK-NAT-eth0-1.1.1.254[15]: IKE proposal:
AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
L2TP-PSK-NAT-eth0-1.1.1.254{24}:  INSTALLED, TRANSPORT, reqid 15, ESP in
UDP SPIs: c8fb8615_i ce0463aa_o
L2TP-PSK-NAT-eth0-1.1.1.254{24}:  AES_CBC_128/HMAC_SHA1_96, 1139 bytes_i
(23 pkts, 5s ago), 1070 bytes_o (24 pkts, 20s ago), rekeying in 41 minutes
L2TP-PSK-NAT-eth0-1.1.1.254{24}:   1.1.1.254/32[udp/l2f] === 1.1.1.1/32[udp]
[TEST-SERVER] ~ # ip xfrm policy
src 1.1.1.1/32 dst 1.1.1.254/32 proto udp dport 1701
        dir in priority 2816 ptype main
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 15 mode transport
src 1.1.1.254/32 dst 1.1.1.1/32 proto udp sport 1701
        dir out priority 2816 ptype main
        tmpl src 0.0.0.0 dst 0.0.0.0
                proto esp reqid 15 mode transport
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0 ptype main
src ::/0 dst ::/0
        socket in priority 0 ptype main
src ::/0 dst ::/0
        socket out priority 0 ptype main
src ::/0 dst ::/0
        socket in priority 0 ptype main
src ::/0 dst ::/0
        socket out priority 0 ptype main
[TEST-SERVER] ~ # swanctl -l
L2TP-PSK-NAT-eth0-1.1.1.254: #15, ESTABLISHED, IKEv1,
51f81eb78e516dd3:a019b05746e13729
  local  '1.1.1.254' @ 1.1.1.254
  remote '192.168.40.1' @ 1.1.1.1
  AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
  established 141s ago, reauth in 27710s
  L2TP-PSK-NAT-eth0-1.1.1.254: #24, reqid 15, INSTALLED, TRANSPORT-in-UDP,
ESP:AES_CBC-128/HMAC_SHA1_96
    installed 141s ago, rekeying in 2396s, expires in 3459s
    in  c8fb8615,   1651 bytes,    43 packets,     0s ago
    out ce0463aa,   1582 bytes,    44 packets,    18s ago
    local  1.1.1.254/32[udp/l2f]
    remote 1.1.1.1/32[udp]
[TEST-SERVER] ~ #


Regards,
---
takumi kadode
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180114/9f102627/attachment.html>

More information about the Users mailing list