[strongSwan] Restricting protocol and port numbers question

Tue Sep 1 21:22:52 CEST 2020

Hello All,

I am trying to restrict traffic entering the tunnel using:

left|rightsubnet = <ip subnet>[[<proto/port>]][,...]

To test this feature I am trying to restrict ICMP traffic.

ipsec.conf:
	rightsubnet=192.168.9.0/24[icmp],192.168.51.0/24[icmp]
	left=172.16.31.2
	leftid=172.16.31.2
	leftsubnet=10.10.9.0/24[icmp],192.168.61.0/24[icmp]

The tunnels come up and look ok:
          m1{3}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c988747b_i c0147d49_o
          m1{3}:  AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 96 minutes
          m1{3}:   10.10.9.0/24[icmp] 192.168.61.0/24[icmp] === 192.168.9.0/24[icmp] 192.168.51.0/24[icmp]

All the same, the packets are not pushed into the tunnel:

ping 192.168.9.3 -I 10.10.9.4
PING 192.168.9.3 (192.168.9.3) from 10.10.9.4 : 56(84) bytes of data.
ping: sendmsg: Network is unreachable
ping: sendmsg: Network is unreachable

The ip xfrm policy seems to be correct:
src 192.168.9.0/24 dst 10.10.9.0/24 proto icmp 
	dir fwd priority 375167 ptype main 
	tmpl src 172.16.31.1 dst 172.16.31.2
		proto esp reqid 1 mode tunnel

Would highly appreciate if anyone can point the error in my configuration?

Thanks.

Kind rgds,
Makarand Pradhan
Senior Software Engineer.
iS5 Communications Inc.
5895 Ambler Dr,
Mississauga, Ontario
L4W 5B7
Main Line: +1-844-520-0588 Ext. 129
Direct Line: +1-289-724-2296
Cell: +1-226-501-5666
Fax:+1-289-401-5206
Email: makarandpradhan at is5com.com
Website: www.iS5Com.com

Confidentiality Notice: 
This message is intended only for the named recipients. This message may contain information that is confidential and/or exempt from disclosure under applicable law. Any dissemination or copying of this message by anyone other than a named recipient is strictly prohibited. If you are not a named recipient or an employee or agent responsible for delivering this message to a named recipient, please notify us immediately, and permanently destroy this message and any copies you may have. Warning: Email may not be secure unless properly encrypted.