[strongSwan] Restricting protocol and port numbers question

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Tue Sep 29 20:38:23 CEST 2020

Hello Tobias,

I need your help for clarifying 2-3 queries below with reference to your
advice on adding routes in table 220..

1. with policies based on ports/protocols used, Would the routes need to be
added still, if we say disable use of table 220 by applying the option
"install_routes=no" in charon.conf???

2. Iam unable recall precisely now (as i write)...does "swanctl.conf"
require table-220 to be used (by default)???...or rather the question would
be, if i use swanctl.conf for the tunnel with ports/protocol policies,
would i need to add routes in table-220????

3. Same as above, can we use install_routes=no with swantctl and avoid
adding routes for the remote-subnets???

thanks & regards

On Wednesday, September 2, 2020, Makarand Pradhan <
MakarandPradhan at is5com.com> wrote:

> Hello All,
> I am trying to restrict traffic entering the tunnel using:
> left|rightsubnet = <ip subnet>[[<proto/port>]][,...]
> To test this feature I am trying to restrict ICMP traffic.
> ipsec.conf:
>         rightsubnet=[icmp],[icmp]
>         left=
>         leftid=
>         leftsubnet=[icmp],[icmp]
> The tunnels come up and look ok:
>           m1{3}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c988747b_i
> c0147d49_o
>           m1{3}:  AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o,
> rekeying in 96 minutes
>           m1{3}:[icmp][icmp] ===
> All the same, the packets are not pushed into the tunnel:
> ping -I
> PING ( from : 56(84) bytes of data.
> ping: sendmsg: Network is unreachable
> ping: sendmsg: Network is unreachable
> The ip xfrm policy seems to be correct:
> src dst proto icmp
>         dir fwd priority 375167 ptype main
>         tmpl src dst
>                 proto esp reqid 1 mode tunnel
> Would highly appreciate if anyone can point the error in my configuration?
> Thanks.
> Kind rgds,
> Makarand Pradhan
> Senior Software Engineer.
> iS5 Communications Inc.
> 5895 Ambler Dr,
> Mississauga, Ontario
> L4W 5B7
> Main Line: +1-844-520-0588 Ext. 129
> Direct Line: +1-289-724-2296
> Cell: +1-226-501-5666
> Fax:+1-289-401-5206
> Email: makarandpradhan at is5com.com
> Website: www.iS5Com.com
> Confidentiality Notice:
> This message is intended only for the named recipients. This message may
> contain information that is confidential and/or exempt from disclosure
> under applicable law. Any dissemination or copying of this message by
> anyone other than a named recipient is strictly prohibited. If you are not
> a named recipient or an employee or agent responsible for delivering this
> message to a named recipient, please notify us immediately, and permanently
> destroy this message and any copies you may have. Warning: Email may not be
> secure unless properly encrypted.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200930/e64adcb3/attachment.html>

More information about the Users mailing list