Encrypt specific protocols only



  • (First of all, sorry of the bad english.)

    Hi everybody, i've been fighting a tricky vpn conection for the last few day, which has some specifc requirements, the only one still kicking is the need to encrypt certain protocols only (GRE in this case).

    Acording to swtrongswan wiki, this could be achived in one of two ways: left|rightprotoport (which is being deprecated) or appending them after left|rightsubnet parameter.

    I kinda fixed it by adding "leftprotoport = gre" and "rightprotoport = gre" in the vpn.inc file, but this setup will add this parameter to all defined vpn. At the moment thas not an issue cause its the only one i have, but it will be a problem in the near future.

    In my very limited programing skills, been trying to get the left|rightsubnet option working. Manage to disable NAT and remote network validation in order to pass the [gre] value into the field, but the subnet mask keeps getting at the end of the line in the ipsec.conf (leftsubnet = 10.10.10.10[gre]/24) and i'm not getting where in the code it is.

    If some of the code gurus could lend me a hand on removing the subnet bits i'll be forever grateful (i guess this will work, just need to add them to the nat and remote network fields).

    Saludos desde Uruguay!


  • Rebel Alliance Developer Netgate

    We don't have a way to set that currently. But if the remote end is a Cisco they can usually set their protocol selector to 0 to let it work.



  • The remote end is in fact a Cisco device, but it belongs to a bank and they tend to enforce their policies pretty hard.

    Anyway the best approach will be add a few more fields to the phase2 gui page and attach their content to rightsubnet and leftsubnet parameters in the ipsec.conf file.

    Should i enter a feature request for that or is this to specific to be even considered?


  • Rebel Alliance Developer Netgate

    You can make a feature request for it. It is something we've talked about (specifically for GRE if not others) but there wouldn't be an ETA for that, maybe even after 2.3 unless someone does the work and submits it as a pull request.



  • I end up doing it myself.

    Read a little of php, touching here and there on a test enviroment and voila.

    Being testing a few protocols and ports and seems to be ok.

    No idea how to make a pull request, but i've left the modified files attached to this post just in case someone needs them.





    protoport.zip


Log in to reply