[Openswan Users] leftprotoport=17/1701 and non-UDP traffic

[Paul Wouters]

On Mon, 9 Jan 2006, Guillermo Ontañón wrote:

> I have a question about the protocol/port selectors: what happens with
> packets that do not belong to the protocol/port specified in
> leftprotoport? should they be dropped or should they be forwarded
> unencrypted?
>
> I've set up an l2tp connection and all non-l2tp traffic between the
> ipsec gateway (openswan 2.4.4 w/ klips) and the clients is dropped by
> klips.

That is the expected behaviour. If there is a security policy between
two hosts, everything that does match that policy is dropped.

> So I guess that either I'm doing something wrong or it's not possible to
> route udp/1701 packets through ipsec0 and all other packets through
> eth0.

If you really want it, and I do not know why you'd want it, you can
add a "passthrough" route:

conn passthrough
	left=gatewayup
	right=0.0.0.0
	rightsubnet=0.0.0.0/0
	auto=route
	authby=never
	type=passthrough

Since the ipsec policy matching goes from most specific to least specific,
the l2tp packets will still have to come in encrypted, but the rest can
come in plaintext.

This only makes it valid on the server end. Whether the client will allow
sending unencrypted packets is another thing. I do not know.

Paul