[strongSwan] strange traffic selector selecting behavior
tobias at strongswan.org
Mon Aug 12 16:19:39 CEST 2019
> the StrongSwan select wrong selector and program xfrm incorrectly.
No, everything works as it's designed to. However, there are several
aspects that result in the "wrong" outcome in your case.
It starts with the ping utility that opens a UDP socket to determine
which local address it should use as source in the ICMP packets. This
socket may trigger matching trap policies (auto=route) and the data
(protocol/ports) of this (unused) UDP connection is received in the
acquire message from the kernel. By default, strongSwan prepends that
received traffic selector to the list of traffic selectors (to allow
responders to select the most specific traffic selector, which is what
You can avoid the UDP socket in ping by selecting a specific source IP
via -I <IP>. You can also prevent strongSwan from adding the traffic
selectors from the acquire by enabling charon.ignore_acquire_ts. You
could also make the trap policy more specific (e.g. so it doesn't match
UDP if that's not intended).
More information about the Users