[strongSwan] protecting l2tp and extraneous entries in SPD

Victor Sudakov vas at sibptus.ru
Sat Feb 8 11:19:40 CET 2020


Dear Colleagues,

I want to protect L2TP traffic (and *only* L2TP traffic with IPSec). 
FreeBSD 12.1, Strongswan 5.8.2

c.c.c.c is the L2TP client and s.s.s.s is the L2TP server.

ipsec.conf:

conn netpoint
    left=c.c.c.c
    right=s.s.s.s
    rightprotoport=udp/l2tp
    leftprotoport=udp/%any
    type=transport
    authby=psk
    auto=route


However, "setkey -DP" shows that the kernel SPD database contains not
only entries for 1701/udp, but also entries for [any] (spid 1997 and
1998) which I don't want.

Is this a bug, or a misconfiguration on my part? 

Here is the setkey output:

s.s.s.s[1701] c.c.c.c[any] udp
        in ipsec
        esp/transport//unique:6
        created: Feb  8 17:02:20 2020  lastused: Feb  8 17:02:20 2020
        lifetime: 9223372036854775807(s) validtime: 0(s)
        spid=2001 seq=10 pid=16018 scope=global
        refcnt=1
s.s.s.s[any] c.c.c.c[any] any
        in ipsec
        esp/transport//unique:4
        created: Feb  8 17:02:20 2020  lastused: Feb  8 17:02:20 2020
        lifetime: 9223372036854775807(s) validtime: 0(s)
        spid=1997 seq=6 pid=16018 scope=global
        refcnt=1
c.c.c.c[any] s.s.s.s[1701] udp
        out ipsec
        esp/transport//unique:6
        created: Feb  8 17:02:20 2020  lastused: Feb  8 17:02:20 2020
        lifetime: 9223372036854775807(s) validtime: 0(s)
        spid=2002 seq=4 pid=16018 scope=global
        refcnt=1
c.c.c.c[any] s.s.s.s[any] any
        out ipsec
        esp/transport//unique:4
        created: Feb  8 17:02:20 2020  lastused: Feb  8 17:02:20 2020
        lifetime: 9223372036854775807(s) validtime: 0(s)
        spid=1998 seq=0 pid=16018 scope=global
        refcnt=1


-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/


More information about the Users mailing list