I am trying to configure IPsec between applications that are sending UDP
packets to destination port 10023. The UDP source port is ephemeral. This
means that I want strongSwan to install these two simple IPsec policies:
src 192.168.64.136/32 dst 192.168.64.135/32 proto udp dport 10023
dir in priority 3840
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 1 mode transport
src 192.168.64.135/32 dst 192.168.64.136/32 proto udp dport 10023
dir out priority 3840
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 1 mode transport
However, I can't figure out how make strongswan to do that. It always
installs these 4 policies:
src 192.168.64.136/32 dst 192.168.64.135/32 proto udp sport 10023 dport
10023
dir in priority 1792
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 1 mode transport
src 192.168.64.135/32 dst 192.168.64.136/32 proto udp sport 10023 dport
10023
dir out priority 1792
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 1 mode transport
src 192.168.64.136/32 dst 192.168.64.135/32 proto udp sport 10023
dir in priority 3840
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 1 mode transport
src 192.168.64.135/32 dst 192.168.64.136/32 proto udp dport 10023
dir out priority 3840
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid 1 mode transport
In my ipsec.conf file I simply set lefsubnet=%dynamic[udp] and
rightsubnet=%dynamic[udp/10023]. However, that leads to those 4 policies
being installed. This leaves a security hole because policy #3 allows
compromised peer to send packets to any dport if sport matched to 10023.
How can I make strongSwan to install those two simple IPsec policies that I
want?
Regards,
Sebastian
_______________________________________________
Dev mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/dev
