[strongSwan] Wrong traffic selecting on local side.

Jaehong Park jaehong.park at illumio.com
Mon Aug 7 17:45:58 CEST 2017

Thanks Tobias.

That make sense a lot.

Here is another question.

If I split these into

Server side ( IP address is
conn tcp_4001
conn udp_4001

Client side  (IP address is

conn 4.10-6-3-
conn 4.10-6-3-

And if I do udp iperf3 testing on port 4001, from client to server

Somehow the all the SA is up  and TCP control packets flows but not the UDP data traffic.

Is there a known issue with this configuration with certain kernel that you are aware of?

I am using CentOS 6.6


On Aug 7, 2017, at 2:26 AM, Tobias Brunner <tobias at strongswan.org<mailto:tobias at strongswan.org>> wrote:

Hi Jaehong,

This is the charon.log with debug level 2, when the problem happens.
At the end of selecting ts for us, it picks tcp_udp_4001 instead of
selecting icmp_any.
Is this a bug?

Not really.  The tcp_udp_4001 connection allows any protocol, so when
the peer proposes ICMP that's perfectly acceptable.  The port 4001 is
interpreted as ICMP type and code in the upper and lower bytes, i.e. 15
and 161, respectively.  And this type of narrowing is perfectly fine.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170807/68c900db/attachment.html>

More information about the Users mailing list