[strongSwan] protecting l2tp and extraneous entries in SPD
Victor Sudakov
vas at sibptus.ru
Sat Feb 8 11:19:40 CET 2020
Dear Colleagues,
I want to protect L2TP traffic (and *only* L2TP traffic with IPSec).
FreeBSD 12.1, Strongswan 5.8.2
c.c.c.c is the L2TP client and s.s.s.s is the L2TP server.
ipsec.conf:
conn netpoint
left=c.c.c.c
right=s.s.s.s
rightprotoport=udp/l2tp
leftprotoport=udp/%any
type=transport
authby=psk
auto=route
However, "setkey -DP" shows that the kernel SPD database contains not
only entries for 1701/udp, but also entries for [any] (spid 1997 and
1998) which I don't want.
Is this a bug, or a misconfiguration on my part?
Here is the setkey output:
s.s.s.s[1701] c.c.c.c[any] udp
in ipsec
esp/transport//unique:6
created: Feb 8 17:02:20 2020 lastused: Feb 8 17:02:20 2020
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=2001 seq=10 pid=16018 scope=global
refcnt=1
s.s.s.s[any] c.c.c.c[any] any
in ipsec
esp/transport//unique:4
created: Feb 8 17:02:20 2020 lastused: Feb 8 17:02:20 2020
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=1997 seq=6 pid=16018 scope=global
refcnt=1
c.c.c.c[any] s.s.s.s[1701] udp
out ipsec
esp/transport//unique:6
created: Feb 8 17:02:20 2020 lastused: Feb 8 17:02:20 2020
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=2002 seq=4 pid=16018 scope=global
refcnt=1
c.c.c.c[any] s.s.s.s[any] any
out ipsec
esp/transport//unique:4
created: Feb 8 17:02:20 2020 lastused: Feb 8 17:02:20 2020
lifetime: 9223372036854775807(s) validtime: 0(s)
spid=1998 seq=0 pid=16018 scope=global
refcnt=1
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
More information about the Users
mailing list