Hi Sumit, > We have tested this with leftprotoport=0, rightprotoport=0 AND > leftprotoport=hopopt, rightprotoport=hopopt.
You can't filter extension headers by the IPsec protocol selector; that selector applies to the protocol field, i.e. the protocol specified in the last extension header, if present. Please refer to RFC 4301, 4.4.1.1: > - Next Layer Protocol: Obtained from the IPv4 "Protocol" or the > IPv6 "Next Header" fields. This is an individual protocol > number, ANY, or for IPv6 only, OPAQUE. The Next Layer Protocol > is whatever comes after any IP extension headers that are > present. To simplify locating the Next Layer Protocol, there > SHOULD be a mechanism for configuring which IPv6 extension > headers to skip. The default configuration for which protocols > to skip SHOULD include the following protocols: 0 (Hop-by-hop > options), 43 (Routing Header), 44 (Fragmentation Header), and 60 > (Destination Options). Note: The default list does NOT include > 51 (AH) or 50 (ESP). From a selector lookup point of view, > IPsec treats AH and ESP as Next Layer Protocols. Further (and for that reason), you can't negotiate protocol "0" as selector in IKEv2; A protocol of zero means any protocol, refer to RFC 7296 3.13.1: > o IP protocol ID (1 octet) - Value specifying an associated IP > protocol ID (such as UDP, TCP, and ICMP). A value of zero means > that the protocol ID is not relevant to this Traffic Selector -- > the SA can carry all protocols. > Both ways, setkey entries come with "255" protocol number, and any > traffic is allowed to be encrypted. > 15.15.15.15[any] 14.14.14.14[any] 255 strongSwan installs a zero protocol as "any"; not sure why setkey prints 255 for "any" protocol. I personally prefer the iproute2 "ip" command on Linux. Regards Martin _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
