[strongSwan] Traffic selector not working as expected
Tobias Brunner
tobias at strongswan.org
Mon Jul 6 11:24:30 CEST 2015
Hi Tiago,
> I'm trying to restrict the traffic selector to GRE/BGP:
>
> rightsubnet=%dynamic[gre/bgp]
If the protocol in an IPsec policy is GRE the Linux kernel matches
"ports" against the GRE Key (if any). It looks like the kernel matches
the source port (leftsubnet) against the upper 16-bit of the key and the
destination port (rightsubnet) against the lower 16-bit.
> However, if I change the TS to:
>
> rightsubnet=%dynamic[gre]
> auto=route
>
> BGP (and other GRE-encapsulated traffic) does go through.
You could probably also use the above policy with XFRM marks and
Netfilter rules to only tunnel specific packets.
Regards,
Tobias
More information about the Users
mailing list