[strongSwan] ip xfrm policy result of transport mode

Noel Kuntze noel.kuntze+strongswan-users-ml at thermi.consulting
Sun Jan 14 15:32:45 CET 2018 

It has nothing to do with that (or strongSwan in general).
The initiator simply negotiated the TS to be dynamic[udp/l2tp] == dynamic[udp]. That's what you're seeing.
From which port to what other port the initiator initiates its L2TP connection from and to is a completely different topic that only pertains L2TP (and your l2tp daemon), not IPsec or strongSwan.

On 14.01.2018 14:01, Nimo wrote:
> Hello Noel,
> 
> I re-build test environment as below.
> 
> IPsec and L2TP were establised, and ping was sucess in PPP.
> Then I executed "ipsec statusall" and "swanctl -l" as below. It seems not to show client source port.
> 
> Could you please check my ipsec.conf ?
> 
> 
> [test environment]
> L2TP client(192.168.40.1) --- NAT-device(1.1.1.1) --- L2TP server(1.1.1.254)
> 
> 
> L2TP server
> 
> [ipsec.conf]
> ------------------------------------------------
> conn L2TP-PSK-noNAT
>         authby=secret
>         auto=add
>         keyingtries=3
>         keyexchange=ikev1
>         rekey=yes
>         ike=3des-sha1-modp1024,aes128-sha1,aes256-sha1
>         dpddelay=10
>         dpdtimeout=90
>         dpdaction=clear
>         ikelifetime=8h
>         keylife=1h
>         type=transport
>         leftprotoport=17/1701
>         right=%any
>         rightprotoport=17/%any
> 
> conn L2TP-PSK-NAT-eth0-1.1.1.254
>         left=1.1.1.254
>         also=L2TP-PSK-noNAT
> 
> 
> [ipsec.secrets]
> ------------------------------------------------
> 1.1.1.254 %any : PSK "password"
> 
> 
> 
> L2TP client
> 
> [ipsec.conf]
> ------------------------------------------------
> conn l2tpclient_common
>         authby          = secret
>         keyexchange     = ikev1
>         rekey           = no
>         keyingtries     = 3
>         type            = transport
>         right           = 1.1.1.254
>         leftprotoport   = 17/%any
>         rightprotoport  = 17/1701
>         auto=add
> 
> 
> conn l2tpclient_test001
>         left            = 192.168.40.1
>         also            = l2tpclient_common
> 
> 
> [ipsec.secrets]
> ------------------------------------------------
> : PSK "password"
> 
> 
> 
> [Result]
> [TEST-SERVER] ~ # ipsec status
> Security Associations (1 up, 0 connecting):
> L2TP-PSK-NAT-eth0-1.1.1.254[15]: ESTABLISHED 18 seconds ago, 1.1.1.254[1.1.1.254]...1.1.1.1[192.168.40.1]
> L2TP-PSK-NAT-eth0-1.1.1.254{24}:  INSTALLED, TRANSPORT, reqid 15, ESP in UDP SPIs: c8fb8615_i ce0463aa_o
> L2TP-PSK-NAT-eth0-1.1.1.254{24}:   1.1.1.254/32[udp/l2f] <http://1.1.1.254/32[udp/l2f]> === 1.1.1.1/32[udp] <http://1.1.1.1/32[udp]>
> 
> [TEST-SERVER] ~ # ipsec statusall
> Status of IKE charon daemon (strongSwan 5.3.5, Linux 3.10.104, x86_64):
>   uptime: 5 hours, since Jan 14 16:35:57 2018
>   malloc: sbrk 1486848, mmap 0, used 426528, free 1060320
>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 36
>   loaded plugins: charon aes des rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default connmark farp stroke vici updown eap-identity eap-aka eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth lookip error-notify unity
> Listening IP addresses:
>   1.1.1.254
>   10.0.0.1
>   192.168.122.55
>   10.0.0.1
> Connections:
> L2TP-PSK-noNAT:  %any...%any  IKEv1, dpddelay=10s
> L2TP-PSK-noNAT:   local:  uses pre-shared key authentication
> L2TP-PSK-noNAT:   remote: uses pre-shared key authentication
> L2TP-PSK-noNAT:   child:  dynamic[udp/l2f] === dynamic[udp] TRANSPORT, dpdaction=clear
> L2TP-PSK-NAT-eth0-1.1.1.254:  1.1.1.254...%any  IKEv1, dpddelay=10s
> L2TP-PSK-NAT-eth0-1.1.1.254:   local:  [1.1.1.254] uses pre-shared key authentication
> L2TP-PSK-NAT-eth0-1.1.1.254:   remote: uses pre-shared key authentication
> L2TP-PSK-NAT-eth0-1.1.1.254:   child:  dynamic[udp/l2f] === dynamic[udp] TRANSPORT, dpdaction=clear
> Security Associations (1 up, 0 connecting):
> L2TP-PSK-NAT-eth0-1.1.1.254[15]: ESTABLISHED 26 seconds ago, 1.1.1.254[1.1.1.254]...1.1.1.1[192.168.40.1]
> L2TP-PSK-NAT-eth0-1.1.1.254[15]: IKEv1 SPIs: 51f81eb78e516dd3_i a019b05746e13729_r*, pre-shared key reauthentication in 7 hours
> L2TP-PSK-NAT-eth0-1.1.1.254[15]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
> L2TP-PSK-NAT-eth0-1.1.1.254{24}:  INSTALLED, TRANSPORT, reqid 15, ESP in UDP SPIs: c8fb8615_i ce0463aa_o
> L2TP-PSK-NAT-eth0-1.1.1.254{24}:  AES_CBC_128/HMAC_SHA1_96, 1139 bytes_i (23 pkts, 5s ago), 1070 bytes_o (24 pkts, 20s ago), rekeying in 41 minutes
> L2TP-PSK-NAT-eth0-1.1.1.254{24}:   1.1.1.254/32[udp/l2f] <http://1.1.1.254/32[udp/l2f]> === 1.1.1.1/32[udp] <http://1.1.1.1/32[udp]>
> [TEST-SERVER] ~ # ip xfrm policy
> src 1.1.1.1/32 <http://1.1.1.1/32> dst 1.1.1.254/32 <http://1.1.1.254/32> proto udp dport 1701
>         dir in priority 2816 ptype main
>         tmpl src 0.0.0.0 dst 0.0.0.0
>                 proto esp reqid 15 mode transport
> src 1.1.1.254/32 <http://1.1.1.254/32> dst 1.1.1.1/32 <http://1.1.1.1/32> proto udp sport 1701
>         dir out priority 2816 ptype main
>         tmpl src 0.0.0.0 dst 0.0.0.0
>                 proto esp reqid 15 mode transport
> src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
>         socket in priority 0 ptype main
> src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
>         socket out priority 0 ptype main
> src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
>         socket in priority 0 ptype main
> src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0>
>         socket out priority 0 ptype main
> src ::/0 dst ::/0
>         socket in priority 0 ptype main
> src ::/0 dst ::/0
>         socket out priority 0 ptype main
> src ::/0 dst ::/0
>         socket in priority 0 ptype main
> src ::/0 dst ::/0
>         socket out priority 0 ptype main
> [TEST-SERVER] ~ # swanctl -l
> L2TP-PSK-NAT-eth0-1.1.1.254: #15, ESTABLISHED, IKEv1, 51f81eb78e516dd3:a019b05746e13729
>   local  '1.1.1.254' @ 1.1.1.254
>   remote '192.168.40.1' @ 1.1.1.1
>   AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
>   established 141s ago, reauth in 27710s
>   L2TP-PSK-NAT-eth0-1.1.1.254: #24, reqid 15, INSTALLED, TRANSPORT-in-UDP, ESP:AES_CBC-128/HMAC_SHA1_96
>     installed 141s ago, rekeying in 2396s, expires in 3459s
>     in  c8fb8615,   1651 bytes,    43 packets,     0s ago
>     out ce0463aa,   1582 bytes,    44 packets,    18s ago
>     local  1.1.1.254/32[udp/l2f] <http://1.1.1.254/32[udp/l2f]>
>     remote 1.1.1.1/32[udp] <http://1.1.1.1/32[udp]>
> [TEST-SERVER] ~ #
> 
> 
> Regards,
> ---
> takumi kadode

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180114/c3e8b68c/attachment-0001.sig>

More information about the Users mailing list