[strongSwan] Restricting protocol and port numbers question

Rajiv Kulkarni rajivkulkarni69 at gmail.com
Tue Sep 29 20:38:23 CEST 2020 

Hello Tobias,

I need your help for clarifying 2-3 queries below with reference to your
advice on adding routes in table 220..

1. with policies based on ports/protocols used, Would the routes need to be
added still, if we say disable use of table 220 by applying the option
"install_routes=no" in charon.conf???

2. Iam unable recall precisely now (as i write)...does "swanctl.conf"
require table-220 to be used (by default)???...or rather the question would
be, if i use swanctl.conf for the tunnel with ports/protocol policies,
would i need to add routes in table-220????

3. Same as above, can we use install_routes=no with swantctl and avoid
adding routes for the remote-subnets???

thanks & regards
Rajiv


On Wednesday, September 2, 2020, Makarand Pradhan <
MakarandPradhan at is5com.com> wrote:

> Hello All,
>
> I am trying to restrict traffic entering the tunnel using:
>
> left|rightsubnet = <ip subnet>[[<proto/port>]][,...]
>
> To test this feature I am trying to restrict ICMP traffic.
>
> ipsec.conf:
>         rightsubnet=192.168.9.0/24[icmp],192.168.51.0/24[icmp]
>         left=172.16.31.2
>         leftid=172.16.31.2
>         leftsubnet=10.10.9.0/24[icmp],192.168.61.0/24[icmp]
>
> The tunnels come up and look ok:
>           m1{3}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c988747b_i
> c0147d49_o
>           m1{3}:  AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o,
> rekeying in 96 minutes
>           m1{3}:   10.10.9.0/24[icmp] 192.168.61.0/24[icmp] ===
> 192.168.9.0/24[icmp] 192.168.51.0/24[icmp]
>
> All the same, the packets are not pushed into the tunnel:
>
> ping 192.168.9.3 -I 10.10.9.4
> PING 192.168.9.3 (192.168.9.3) from 10.10.9.4 : 56(84) bytes of data.
> ping: sendmsg: Network is unreachable
> ping: sendmsg: Network is unreachable
>
> The ip xfrm policy seems to be correct:
> src 192.168.9.0/24 dst 10.10.9.0/24 proto icmp
>         dir fwd priority 375167 ptype main
>         tmpl src 172.16.31.1 dst 172.16.31.2
>                 proto esp reqid 1 mode tunnel
>
> Would highly appreciate if anyone can point the error in my configuration?
>
> Thanks.
>
> Kind rgds,
> Makarand Pradhan
> Senior Software Engineer.
> iS5 Communications Inc.
> 5895 Ambler Dr,
> Mississauga, Ontario
> L4W 5B7
> Main Line: +1-844-520-0588 Ext. 129
> Direct Line: +1-289-724-2296
> Cell: +1-226-501-5666
> Fax:+1-289-401-5206
> Email: makarandpradhan at is5com.com
> Website: www.iS5Com.com
>
>
> Confidentiality Notice:
> This message is intended only for the named recipients. This message may
> contain information that is confidential and/or exempt from disclosure
> under applicable law. Any dissemination or copying of this message by
> anyone other than a named recipient is strictly prohibited. If you are not
> a named recipient or an employee or agent responsible for delivering this
> message to a named recipient, please notify us immediately, and permanently
> destroy this message and any copies you may have. Warning: Email may not be
> secure unless properly encrypted.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200930/e64adcb3/attachment.html>

More information about the Users mailing list