[strongSwan] Traffic selector not working as expected

Tobias Brunner tobias at strongswan.org
Mon Jul 6 11:24:30 CEST 2015

Hi Tiago,

> I'm trying to restrict the traffic selector to GRE/BGP:
>          rightsubnet=%dynamic[gre/bgp]

If the protocol in an IPsec policy is GRE the Linux kernel matches
"ports" against the GRE Key (if any).  It looks like the kernel matches
the source port (leftsubnet) against the upper 16-bit of the key and the
destination port (rightsubnet) against the lower 16-bit.

> However, if I change the TS to:
>          rightsubnet=%dynamic[gre]
>          auto=route
> BGP (and other GRE-encapsulated traffic) does go through.

You could probably also use the above policy with XFRM marks and
Netfilter rules to only tunnel specific packets.


More information about the Users mailing list