Hi Sebastian, > I am trying to configure IPsec between applications that are sending > UDP packets to destination port 10023. The UDP source port is > ephemeral. In my ipsec.conf file I simply set lefsubnet=%dynamic[udp] > and rightsubnet=%dynamic[udp/10023].
And how does your peers configuration look like? Who initiates the tunnel? Most likely you have two CHILD_SAs established, resulting in four XFRM policies. > This leaves a security hole because policy #3 allows compromised peer > to send packets to any dport if sport matched to 10023. AFAICS, this is exactly what your configuration defines; any local UDP port (leftsubnet=%dynamic[udp]), and remote port 10023 (rightsubnet=%dynamic[udp/10023]). The IKE protocol does not allow you to exchange policies matching source or destination ports; it only knows local or remote ports to match bi-directional flows. Refer to [1] for details. > How can I make strongSwan to install those two simple IPsec policies > that I want? If both ends have to send traffic to the others UDP port 10023, this can't work. You can allow both a any<->10023 and a 10023<->any policy; but this implies that the peer can initiate UDP connections from its port 10023 to any of your local ports. This is what your policy allows. If you want to limit connection initiation to destination port 10023, you'd additionally need some Conntrack aware Netfilter rules. Regards Martin [1]http://tools.ietf.org/html/rfc5996#section-2.9 _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
