[Openswan Users] Question distinguishing traffic using protoport

Phillip Reeves preeves1 at gmail.com
Sat Feb 21 11:54:38 EST 2009 

Hello all,

I would like be able to have traffic using specific ports to use different
SA's similar to this post:

https://lists.strongswan.org/pipermail/users/2008-October/002854.html

I have two boxes running rhel 5.2 and openswan 2.6.20 in a private lab using
netkey protostack.  Similar to the post above I would like to have traffic
using tcp/22 use a set of SA's and tcp/23 use a set of SA's.

Below is part of my ipsec.conf file to get this working

conn allow-ssh
        phase2alg=null-sha1-96
        leftprotoport=6/22
        rightprotoport=6/0
        also=vpn-test

conn allow-telnet
        phase2alg=3des-sha1-96
        leftprotoport=6/23
        rightprotoport=6/0
        also=vpn-test

conn vpn-test
        authby=rsasig
        keyexchange=ike
        keyingtries=5
        ike=aes128-sha1-96
        type=tunnel
        pfs=yes
        left=192.168.100.217          # Local vitals
        leftid=@oswan2
        leftrsasigkey=0sAQN+bc6MUiFE1P77NOt5v...
#    leftnexthop=      # correct in many situations
        right=192.168.100.216                # Remote vitals
        rightid=@oswan1
        rightrsasigkey=0sAQPQAdHkT3ZJ86rdYFDNF...
        auto=add                       # authorizes but doesn't start this
                                       # connection at startup


 No matter what we try when attempting to distinguish traffic of the same
protocol (wether udp or tcp), the traffic ends up using the same set of
SA's.  However, I can get the traffic to use different SA's if I breakup the
traffic using ICMP, TCP and UDP rules in my ipsec.conf file as below...


# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual:     ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Debug-logging controls:  "none" for (almost) none, "all" for lots.
        # klipsdebug=none
        # plutodebug="control parsing"
        # For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
        protostack=netkey
        nat_traversal=no
        interfaces="ipsec0=eth0"

conn allow-tcp
        esp=3des-sha1-96
        leftprotoport=tcp
        rightprotoport=tcp
        also=vpn-test

conn allow-icmp
        esp=null-sha1-96
        leftprotoport=icmp
        rightprotoport=icmp
        also=vpn-test

conn allow-udp
        esp=3des-md5-96
        leftprotoport=udp
        rightprotoport=udp
        also=vpn-test

conn vpn-test
        authby=rsasig
        keyexchange=ike
        keyingtries=5
        ike=aes128-sha1-96
        type=tunnel
        pfs=yes
        left=192.168.100.217          # Local vitals
        leftid=@oswan2
        leftrsasigkey=0sAQN+bc6MUiFE1P77NOt5v...
#    leftnexthop=      # correct in many situations
        right=192.168.100.216                # Remote vitals
        rightid=@oswan1
        rightrsasigkey=0sAQPQAdHkT3ZJ86rdYFDNF...
        auto=add                       # authorizes but doesn't start this
                                       # connection at startup


#include /etc/ipsec.d/*.conf

#Disable Opportunistic Encryption
include /etc/ipsec.d/policies/no_oe.conf


We have this working using two Cisco routers and our next test was to see if
we could get this working using openswan.   Anyone have ideas of why this
traffic is not using diff SA's when trying to distinguish diff traffic?


Thanks, Phillip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090221/dc36ea49/attachment.html

More information about the Users mailing list