Strongswan: Transport mode with non-specific remote hosts

ipsecstrongswan

I am using strongSwan 5.2.1 on Debian Jessie, and am having trouble configuring it to do what I want.

Premise

In a test environment, I am seeking to use transport mode IPsec between a Linux virtual machine, and a Windows virtual machine configured as an FTP server in active mode. The IPsec will be applied only to FTP traffic; that is, traffic to/from TCP ports 20 and 21 on the Windows VM. All other traffic between the two hosts (e.g. pings) should be unencrypted.

In the real-world scenario I am doing this for, the FTP server's IP address will vary, thus I would like my strongSwan configuration to not have to reference a specific remote IP.

ipsec.conf file on Linux

Contents are as follows:

# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
    # strictcrlpolicy=yes
    # uniqueid =  no
# Add connections here.
include /var/lib/strongswan/ipsec.conf.inc
conn main
    type=transport
    left=%any
    right=10.1.1.2
    leftauth=psk
    rightauth=psk
    ike=3des-sha1-modp1024
    esp=3des-sha1
    keyexchange=ikev1

conn data
    also=main
    rightsubnet=%dynamic[6/20]
    auto=route

conn command
    also=main
    rightsubnet=%dynamic[6/21]
    auto=route

The Issue

The IPsec.conf above does everything I want to do, except that the FTP server's IP address is specified in the file by the line right=10.1.1.2.

The also=route parameter means that the key exchange is only initiated when traffic is detected going to/from 10.1.1.2 on TCP ports 20 or 21. I want a configuration that initiates key exchange to any IP address when traffic is detected going to/from that address' TCP ports 20 and 21.

Is such a configuration possible in strongSwan, and if not, is there any other keying daemon for Linux that can do what I want to achieve?

Additional Notes

  • Setting right=%any does not achieve what I want. This setting allows any remote host to initiate a key exchange with the local host; it does not mean that the local host will initiate a key exchange with any remote host.
  • The Windows host's IPsec configuration is set to use Any IP Address on both ends of the connection, and successfully behaves in the way that I want.
  • The use of IKEv1 in my configuration is for legacy compatibility.

Thank you.

Best Answer

To use right=%any with transport mode trap policies (i.e. auto=route) you need at least strongSwan 5.3.3. Refer to the ikev2/trap-any scenario for an example.

Related Topic