[Openswan Users] Question distinguishing traffic using protoport

Paul Wouters paul at xelerance.com
Sat Feb 21 15:45:43 EST 2009

On Sat, 21 Feb 2009, Phillip Reeves wrote:

> I would like be able to have traffic using specific ports to use different SA's similar to this post:
> https://lists.strongswan.org/pipermail/users/2008-October/002854.html
> I have two boxes running rhel 5.2 and openswan 2.6.20 in a private lab using netkey protostack.  Similar to the post above I would like to
> have traffic using tcp/22 use a set of SA's and tcp/23 use a set of SA's.
> Below is part of my ipsec.conf file to get this working
> conn allow-ssh
>         phase2alg=null-sha1-96
>         leftprotoport=6/22
>         rightprotoport=6/0
>         also=vpn-test
> conn allow-telnet
>         phase2alg=3des-sha1-96
>         leftprotoport=6/23
>         rightprotoport=6/0
>         also=vpn-test

>  No matter what we try when attempting to distinguish traffic of the same protocol (wether udp or tcp), the traffic ends up using the same
> set of SA's.  However, I can get the traffic to use different SA's if I breakup the traffic using ICMP, TCP and UDP rules in my ipsec.conf
> file as below...

Can you check with xfrm show policy and xfrm show state to see if the policies
are right and the kernel is wrong, or whether the policy is wrong and the kernel
is right?

Also, instead of /0 what happens if you use /%any


More information about the Users mailing list