Unfortunately there is another problem in the last KLIPS version 3.31, in which protoport no longer works with KLIPS.
Unfortunately I can't find which change or which commit is responsible for it. The problem is that the eroute no longer contains the protoport and the eroute cannot be assigned: klips_debug: ipsec_xmit_encap_bundle: shunt SA of DROP or no eroute: dropping. klips_debug: ipsec_xsm: processing completed due to IPSEC_XMIT_STOLEN Version 3.27 with correct port: 10.0.10.200/32:1701 -> 10.0.16.250/32:1701 => [email protected]: 17 Version 3.31 without port: 10.0.10.200/32 -> 10.0.16.250/32 => [email protected]: 17 Both X-source-flow-address and X-dest-flow-address have no port set: klips_debug: pfkey_address_parse: found exttype = 21 (X-source-flow-address) family = 2 (AF_INET) address = 10.0.10.200 proto = 0 port = 0. klips_debug: pfkey_address_parse: found exttype = 22 (X-dest-flow-address) family = 2 (AF_INET) address = 10.0.16.250 proto = 0 port = 0. I know KLIPS should no longer be used, but since XFRMi is not yet fully usable for us and implementing it still requires a lot of effort, we have to rely on KLIPS again. So at the moment I only have the option to stay at 3.27 and possibly use the most important patches and maybe some ikve2 fixes, or patch the KLIPS module, ignore the ports and if necessary, use iptables to block all connections that do not match the protoport. Maybe you can give me a tip which change is responsible for this or whether you see a chance that the port will be passed on to KLIPS again. Regards Wolfgang _______________________________________________ Swan-dev mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan-dev
