Dear Colleagues, I want to protect L2TP traffic (and *only* L2TP traffic with IPSec). FreeBSD 12.1, Strongswan 5.8.2
c.c.c.c is the L2TP client and s.s.s.s is the L2TP server. ipsec.conf: conn netpoint left=c.c.c.c right=s.s.s.s rightprotoport=udp/l2tp leftprotoport=udp/%any type=transport authby=psk auto=route However, "setkey -DP" shows that the kernel SPD database contains not only entries for 1701/udp, but also entries for [any] (spid 1997 and 1998) which I don't want. Is this a bug, or a misconfiguration on my part? Here is the setkey output: s.s.s.s[1701] c.c.c.c[any] udp in ipsec esp/transport//unique:6 created: Feb 8 17:02:20 2020 lastused: Feb 8 17:02:20 2020 lifetime: 9223372036854775807(s) validtime: 0(s) spid=2001 seq=10 pid=16018 scope=global refcnt=1 s.s.s.s[any] c.c.c.c[any] any in ipsec esp/transport//unique:4 created: Feb 8 17:02:20 2020 lastused: Feb 8 17:02:20 2020 lifetime: 9223372036854775807(s) validtime: 0(s) spid=1997 seq=6 pid=16018 scope=global refcnt=1 c.c.c.c[any] s.s.s.s[1701] udp out ipsec esp/transport//unique:6 created: Feb 8 17:02:20 2020 lastused: Feb 8 17:02:20 2020 lifetime: 9223372036854775807(s) validtime: 0(s) spid=2002 seq=4 pid=16018 scope=global refcnt=1 c.c.c.c[any] s.s.s.s[any] any out ipsec esp/transport//unique:4 created: Feb 8 17:02:20 2020 lastused: Feb 8 17:02:20 2020 lifetime: 9223372036854775807(s) validtime: 0(s) spid=1998 seq=0 pid=16018 scope=global refcnt=1 -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/