[Openswan Users] leftprotoport=17/1701 and non-UDP traffic

Paul Wouters paul at xelerance.com
Mon Jan 9 17:00:55 CET 2006

On Mon, 9 Jan 2006, Guillermo Ontañón wrote:

> I have a question about the protocol/port selectors: what happens with
> packets that do not belong to the protocol/port specified in
> leftprotoport? should they be dropped or should they be forwarded
> unencrypted?
> I've set up an l2tp connection and all non-l2tp traffic between the
> ipsec gateway (openswan 2.4.4 w/ klips) and the clients is dropped by
> klips.

That is the expected behaviour. If there is a security policy between
two hosts, everything that does match that policy is dropped.

> So I guess that either I'm doing something wrong or it's not possible to
> route udp/1701 packets through ipsec0 and all other packets through
> eth0.

If you really want it, and I do not know why you'd want it, you can
add a "passthrough" route:

conn passthrough

Since the ipsec policy matching goes from most specific to least specific,
the l2tp packets will still have to come in encrypted, but the rest can
come in plaintext.

This only makes it valid on the server end. Whether the client will allow
sending unencrypted packets is another thing. I do not know.


More information about the Users mailing list