[strongSwan] Selector problems with tunnel mode and VRRP addresses and GRE/IPSec

[John A. Sullivan III]

Hello, all.  I'm working on a fairly complex setup where we are doing
ingress traffic shaping with an IFB interface including traffic
transported via GRE/IPSec on gateways using keepalived for VRRP.

We would normally use IPSec in transport mode for GRE/IPSec but that
seems to prevent the tc filters from seeing the contents of the IPSec
packets after decrypted.  In tunnel mode, the packet seems to take that
second path through the interface and the tc filters work as
expected . . . until it breaks.

The StrongSWAN gateways use VRRP on their public interfaces.  We only
run StrongSWAN on the active gateway and the tunnel end points are the
VIPs, i.e., the virtual IP addresses assigned by keepalived when the
gateway is operating as MASTER.  When a gateway fails, it tears down the
GRE and IPSec tunnels if it can, and the new MASTER establishes them
using the local VIP and terminating on the remote VIP.

This worked fine in transport mode but, in tunnel mode, it complains,
"no local address found in traffic select <VIP/32>.

I've tried playing with left/rightsourceip but this does not seem
applicable to what we are doing and breaks.  I've tried specifying
leftsubnet even though it is the same as left but that does not work.

How does one use tunnel mode to a VRRP VIP? Thanks - John