[strongSwan] strange traffic selector selecting behavior

Jaehong Park jaehong.park at illumio.com
Thu Jul 25 04:21:46 CEST 2019 

Hi I have a ikev2 configuration to the peer 10.180.2.195. 

This is a point to point ikev2 configuration to 10.180.2.195 and when I ping to 10.180.2.195 

the StrongSwan select wrong selector and program xfrm incorrectly.

2019-07-24T19:13:03-0700 28[CFG] selecting traffic selectors for us:
2019-07-24T19:13:03-0700 28[CFG]  config: 10.6.3.189/32, received: 10.6.3.189/32[udp/38769] => match: 10.6.3.189/32[udp/38769]
2019-07-24T19:13:03-0700 28[CFG] selecting traffic selectors for other:
2019-07-24T19:13:03-0700 28[CFG]  config: 10.180.2.195/32, received: 10.180.2.195/32[udp/blackjack] => match: 10.180.2.195/32[udp/blackjack]
2019-07-24T19:13:03-0700 28[IKE] CHILD_SA 4.10-180-2-195.32.0.0.0.0{4} established with SPIs cb0c4e0e_i 35eb7aa0_o and TS 10.6.3.189/32[udp/38769] === 10.180.2.195/32[udp/blackjack]

that ends up configure xfrm like this.

ip xfrm state
src 10.6.3.189 dst 10.180.2.195
        proto esp spi 0x555144a4 reqid 6 mode transport
        replay-window 0 flag nopmtudisc
        enc cbc(aes) 0xf3d69999c4569ad964110dcda123e5bbfdf6c32fe98d802a065ea58185d0faab
        sel src 10.6.3.189/32 dst 10.180.2.195/32 proto udp sport 43761 dport 1025 
src 10.180.2.195 dst 10.6.3.189
        proto esp spi 0xc6b46c85 reqid 6 mode transport
        replay-window 32 flag nopmtudisc
        enc cbc(aes) 0x8c76ceb2497eae534e73184830ef875fef326a5b35062f4c2bd6cca4c6604419
        sel src 10.180.2.195/32 dst 10.6.3.189/32 proto udp sport 1025 dport 43761 
src 10.6.3.189 dst 10.180.2.195
        proto esp spi 0x00000000 reqid 5 mode transport
        replay-window 0 
        sel src 10.6.3.189/32 dst 10.180.2.195/32 proto udp sport 43761 dport 1025 


Is this a bug or is there any way to make StrongSwan recognize echo request(ICMP) packet correctly?

my configuration is like this.

conn issue
  authby=never
  mobike=no
  closeaction=none
  dpdaction=hold
  dpddelay=30s
  dpdtimeout=150s
  inactivity=180
  ikelifetime=3h
  keyingtries=3
  lifetime=1h
  reauth=yes
  rekey=yes
  margintime=9m
  esp=sha256-aes256,sha1-aes256,aes256,sha256-null,sha1-null!
  ike=aes256-sha384-prfsha384-ecp384,aes256-sha256-modp2048,aes256-sha1-modp2048,aes256-sha1-modp1024!
  type=transport
  rightid=%any
  leftauth=pubkey
  rightauth=pubkey
  leftca="xxxxxxxx"
  rightca=%same
  leftid="xxxxxxx"
  right=10.180.2.195
  rightsubnet=%dynamic[%any/%any]
  keyexchange=ikev2
  auto=route

More information about the Users mailing list