[strongSwan] Tunnel and Transport mode mismatch

Makarand Pradhan MakarandPradhan at is5com.com
Tue Jul 7 19:01:23 CEST 2020 

Hello All,

When one side is set to transport and the other set to Tunnel, the child SA is built in Tunnel mode.

Question: Is this the expected behaviour? I was expecting that the SA would be Established but the Child SA would not be installed.


Ipsec.conf: 
conn m1
        type=transport
        authby=secret

and the other side set to tunnel:

conn m1
        type=tunnel
        authby=secret


root at t1024rdb:/mnt/shared/b# ipsec status
Security Associations (1 up, 0 connecting):
          m1[1]: ESTABLISHED 3 seconds ago, 172.16.31.1[172.16.31.1]...172.16.31.2[172.16.31.2]
          m1{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c22f3cbb_i cfc827a2_o
          m1{1}:   172.16.31.0/24 === 172.16.31.0/24

When both are transport, the child SA is built as transport:

root at t1024rdb:/mnt/shared/b# ipsec status
Security Associations (1 up, 0 connecting):
          m1[1]: ESTABLISHED 2 seconds ago, 172.16.31.1[172.16.31.1]...172.16.31.2[172.16.31.2]
          m1{1}:  INSTALLED, TRANSPORT, reqid 1, ESP SPIs: cdd622d2_i cfe1297d_o
          m1{1}:   172.16.31.1/32 === 172.16.31.2/32

Thanks for looking at my post.

Kind rgds,
Makarand Pradhan
Senior Software Engineer.
iS5 Communications Inc.
5895 Ambler Dr,
Mississauga, Ontario
L4W 5B7
Main Line: +1-844-520-0588 Ext. 129
Direct Line: +1-289-724-2296
Cell: +1-226-501-5666
Fax:+1-289-401-5206
Email: mailto:makarandpradhan at is5com.com
Website: http://www.is5com.com/

 
Confidentiality Notice: 
This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.

More information about the Users mailing list