Hi. I am having extreme difficulty authenticating IKE to a remote peer from my Strongswan host using IKEv2 and IPv6 when specifying leftprotoport\rightprotoport.
Let me clarify by saying I can authenticate and establish the tunnel if I only specify the protocol value in the protoport designations (E.g. leftprotoport=tcp + rightprotoport=tcp). When I use this convention the traffic selectors appear as the following on the remote peer: Find a rule matching the first traffic selectors of: TS_r=ipv6(tcp:3260,fc00:2518::10:125:56:16),ipv6(tcp,fc00:2518::10:125:56:16) and TS_i=ipv6(tcp,fc00:2518::221:9bff:fe98:854b),ipv6(tcp,fc00:2518::221:9bff:fe98:854b) In this case, the traffic selectors from the Strongswan host appear to be sending tcp,fc00:2518::221:9bff:fe98:854b. Which appear fine since I didn't specify any port values in the protoport designations. However, when I specify a port value in the protoport designations (E.g. leftprotoport=tcp/0 + rightprotoport=tcp/3260 OR leftprotoport=6/0 + rightprotoport=6/3260 OR leftprotoport=tcp/any + rightprotoport=tcp/3260), the IKE authentication fails due to a traffic selector mismatch. When I use any of the previous conventions the traffic selectors appear as the following on the remote peer: Find a rule matching the first traffic selectors of: TS_r=ipv6(tcp:3260,fc00:2518::10:125:56:16),ipv6(tcp:3260,fc00:2518::10:125:56:16) and TS_i=ipv6(tcp,fc00:2518::221:9bff:fe98:854b),ipv6(tcp,fc00:2518::221:9bff:fe98:854b) In this case, the traffic selectors from the Strongswan host appear to be sending tcp,fc00:2518::221:9bff:fe98:854b. Which do not appear fine since I specified the port values in the protoport designations. In fact they appear to be exactly the same as when I didnät specify the port values in the protoport designations. So I guess the question is why are the port values from the Strongswan host not being presented to the remote peer? Has anybody else seen this before?
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
