There's nothing wrong. I'm sure if you check the output of `ipsec statusall`/`swanctl -l` when you see those XFRM policies, you will see that the initiator (e.g. iPhone) negotiated a TS where its local port is set to 1024, whereas strongSwan doesn't.
On 20.12.2017 11:32, Nimo wrote: > Hello, > > I'm using transport mode with strongSwan 5.3.5. It works fine , but result of > 'ip xfrm policy' may be somehing wrong. > > 1) I configure strongSwan-1 and stronSwan-2 as below. Then I execute 'ip xfrm > policy', the result was "[strongSwan's result]" in below. > 2) I launched iPhone's L2TP to strongSwan-1. Then the 'ip xfrm policy' showed > "[iPhone result]" > > Difference between above two is number of sport/dport. > Could you please tell me strongSwan-2 configuration to match iPhone's result ? > > > strongSwan-1 > ---------------------------------------------- > [ipsec.conf] > conn L2TP > left=1.1.1.254 > authby=secret > auto=add > keyingtries=3 > keyexchange=ikev1 > rekey=yes > ike=3des-sha1-modp1024,aes128-sha1,aes256-sha1 > dpddelay=10 > dpdtimeout=90 > dpdaction=clear > ikelifetime=8h > keylife=1h > type=transport > leftprotoport=17/1701 > right=%any > rightprotoport=17/%any > > [ipsec.secrets] > 1.1.1.254 %any : PSK "password" > > strongSwan-2 > ---------------------------------------------- > [ipsec.conf] > conn client > authby = secret > keyexchange = ikev1 > rekey = no > keyingtries = 3 > type = transport > right = 1.1.1.254 > left = %defaultroute > auto = start > leftprotoport = 17/%any > rightprotoport = 17/1701 > > > [ipsec.secrets] > 1.1.1.254 : PSK "password" > > > ---------------------------------------------- > [strongSwan's result] > # ip xfrm policy > src 1.1.1.254/32 <http://1.1.1.254/32> dst 172.16.14.100/32 > <http://172.16.14.100/32> proto udp sport 1701 > dir in priority 2816 ptype main > tmpl src 0.0.0.0 dst 0.0.0.0 > proto esp reqid 1 mode transport > src 172.16.14.100/32 <http://172.16.14.100/32> dst 1.1.1.254/32 > <http://1.1.1.254/32> proto udp dport 1701 > dir out priority 2816 ptype main > tmpl src 0.0.0.0 dst 0.0.0.0 > proto esp reqid 1 mode transport > src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0> > ..... > > > ---------------------------------------------- > [iPhone result] > [TEST-L2TP] ~ # ip xfrm policy | less > src 1.1.1.1/32 <http://1.1.1.1/32> dst 1.1.1.254/32 <http://1.1.1.254/32> > proto udp sport 1024 dport 1701 > dir in priority 2816 ptype main > tmpl src 0.0.0.0 dst 0.0.0.0 > proto esp reqid 1 mode transport > src 1.1.1.254/32 <http://1.1.1.254/32> dst 1.1.1.1/32 <http://1.1.1.1/32> > proto udp sport 1701 dport 1024 > dir out priority 2816 ptype main > tmpl src 0.0.0.0 dst 0.0.0.0 > proto esp reqid 1 mode transport > src 0.0.0.0/0 <http://0.0.0.0/0> dst 0.0.0.0/0 <http://0.0.0.0/0> > .... > > thank you, > --- > takumi kadode
signature.asc
Description: OpenPGP digital signature
