I am using OpenBSD 6.7
iked does not respect mixing ports in the source and the destination of
traffic selectors.
Such policy in iked.conf
ikev2 "epsilon" active \
proto tcp \
from aaaa:aaaa:aaaa::30 to bbbb:bbbb:bbbb:10::2 port 8000 \
from aaaa:aaaa:aaaa::30 port postgresql to cccc:cccc:cccc::/48 \
from aaaa:aaaa:aaaa::30 port postgresql to bbbb:bbbb:bbbb::/48 \
peer d.d.d
Produces wrong flows (specifying only destination port from first selector):
flow esp in proto tcp from cccc:cccc:cccc::/48 port 8000 to
aaaa:aaaa:aaaa::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require
flow esp in proto tcp from bbbb:bbbb:bbbb::/48 *port 8000* to
aaaa:aaaa:aaaa::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require
flow esp in proto tcp from bbbb:bbbb:bbbb::2 *port 8000* to
aaaa:aaaa:aaaa::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require
flow esp out proto tcp from aaaa:aaaa:aaaa::30 to cccc:cccc:cccc::/48 port
8000 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require
flow esp out proto tcp from 2a04:5200:fff5::30 to fdd3:d128:dc2d::/48 *port
8000* peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require
flow esp out proto tcp from 2a04:5200:fff5::30 to fdd3:d128:dc2d:10::2 *port
8000* peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require
--
Антон Касимов / Anton Kasimov
