[strongSwan] protecting l2tp and extraneous entries in SPD
Victor Sudakov
vas at sibptus.ru
Sat Feb 8 13:57:59 CET 2020
Is it also normal that the SA lifetimes always look so tremendous?
Victor Sudakov wrote:
> Dear Colleagues,
>
> I want to protect L2TP traffic (and *only* L2TP traffic with IPSec).
> FreeBSD 12.1, Strongswan 5.8.2
>
> c.c.c.c is the L2TP client and s.s.s.s is the L2TP server.
>
> ipsec.conf:
>
> conn netpoint
> left=c.c.c.c
> right=s.s.s.s
> rightprotoport=udp/l2tp
> leftprotoport=udp/%any
> type=transport
> authby=psk
> auto=route
>
>
> However, "setkey -DP" shows that the kernel SPD database contains not
> only entries for 1701/udp, but also entries for [any] (spid 1997 and
> 1998) which I don't want.
>
> Is this a bug, or a misconfiguration on my part?
>
> Here is the setkey output:
>
> s.s.s.s[1701] c.c.c.c[any] udp
> in ipsec
> esp/transport//unique:6
> created: Feb 8 17:02:20 2020 lastused: Feb 8 17:02:20 2020
> lifetime: 9223372036854775807(s) validtime: 0(s)
> spid=2001 seq=10 pid=16018 scope=global
> refcnt=1
> s.s.s.s[any] c.c.c.c[any] any
> in ipsec
> esp/transport//unique:4
> created: Feb 8 17:02:20 2020 lastused: Feb 8 17:02:20 2020
> lifetime: 9223372036854775807(s) validtime: 0(s)
> spid=1997 seq=6 pid=16018 scope=global
> refcnt=1
> c.c.c.c[any] s.s.s.s[1701] udp
> out ipsec
> esp/transport//unique:6
> created: Feb 8 17:02:20 2020 lastused: Feb 8 17:02:20 2020
> lifetime: 9223372036854775807(s) validtime: 0(s)
> spid=2002 seq=4 pid=16018 scope=global
> refcnt=1
> c.c.c.c[any] s.s.s.s[any] any
> out ipsec
> esp/transport//unique:4
> created: Feb 8 17:02:20 2020 lastused: Feb 8 17:02:20 2020
> lifetime: 9223372036854775807(s) validtime: 0(s)
> spid=1998 seq=0 pid=16018 scope=global
> refcnt=1
>
>
> --
> Victor Sudakov, VAS4-RIPE, VAS47-RIPN
> 2:5005/49 at fidonet http://vas.tomsk.ru/
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
2:5005/49 at fidonet http://vas.tomsk.ru/
More information about the Users
mailing list