Moving to bugs@: In gmane.os.openbsd.misc, Anton Kasmov wrote: > I am using OpenBSD 6.7 > iked does not respect mixing ports in the source and the destination of > traffic selectors. > > Such policy in iked.conf > ikev2 "epsilon" active \ > proto tcp \ > from aaaa:aaaa:aaaa::30 to bbbb:bbbb:bbbb:10::2 port 8000 \ > from aaaa:aaaa:aaaa::30 port postgresql to cccc:cccc:cccc::/48 \ > from aaaa:aaaa:aaaa::30 port postgresql to bbbb:bbbb:bbbb::/48 \ > peer d.d.d > > Produces wrong flows (specifying only destination port from first selector): > > flow esp in proto tcp from cccc:cccc:cccc::/48 port 8000 to > aaaa:aaaa:aaaa::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require > flow esp in proto tcp from bbbb:bbbb:bbbb::/48 *port 8000* to > aaaa:aaaa:aaaa::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require > flow esp in proto tcp from bbbb:bbbb:bbbb::2 *port 8000* to > aaaa:aaaa:aaaa::30 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require > flow esp out proto tcp from aaaa:aaaa:aaaa::30 to cccc:cccc:cccc::/48 port > 8000 peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require > flow esp out proto tcp from 2a04:5200:fff5::30 to fdd3:d128:dc2d::/48 *port > 8000* peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require > flow esp out proto tcp from 2a04:5200:fff5::30 to fdd3:d128:dc2d:10::2 *port > 8000* peer d.d.d srcid FQDN/a.a.a dstid FQDN/d.d.d type require
Actually whatever is used as "port" on the first selector is used for all other selectors; if there is no port on the first selector, no port is used for any others. I had a look but I think it's beyond my yacc skills.
