[strongSwan] Bypass policies have too low priority

Tobias Brunner tobias at strongswan.org
Thu Aug 21 09:54:09 CEST 2014

Hi Noel,

> I use bypass policies and just found out that strongSwan installs those with a lower priority than the tunnel policies.
> So bypass policies don't actually work some times.

The Linux kernel actually prefers policies with lower priorities (by
their numeric value).

> In this particular case, if I change the TS of a connection from == <censored>/32
> to ==,
> all packets leave through the tunnel, although the bypass policies should prevent that.

Changing the remote TS to /0 should definitely increase the priority
value (/24 === /0 should get you 2947 instead of 2883 for /24 on both

What particular packets (source/destination) do you see entering the
tunnel?  Do the counters increase (ip -s state)?  What about the use
times of the in/out bypass policies (ip -s policy)?

> src dst
>         dir fwd priority 1443
> src dst
>         dir fwd priority 1443

This looks odd.  The second policy above should be *in* not *fwd*.  Typo?


More information about the Users mailing list