[strongSwan] SA establishment is trigerred by icmp traffic, when the rule is added for udp
martin at strongswan.org
Tue Apr 24 08:49:11 CEST 2012
> Why is SA getting created by ICMP traffic, when the rule is added only
> for UDP traffic?
While this might be a little unexpected, it really works this way on
most Linux boxes. The reason is that the ping utility binds a UDP socket
to probe for a source address. While no traffic is actually sent, this
is sufficient to trigger an acquire by the kernel.
If you explicitly set a source address with ping, the bind() is not done
and the SA shouldn't trigger.
More information about the Users