[strongSwan] strange traffic selector selecting behavior
Jaehong Park
jaehong.park at illumio.com
Mon Aug 12 17:28:48 CEST 2019
Thank you Tobias.
I figured out the second option you suggested and it resolve my problem.
> On Aug 12, 2019, at 7:19 AM, Tobias Brunner <tobias at strongswan.org> wrote:
>
> Hi Jaehong,
>
>> the StrongSwan select wrong selector and program xfrm incorrectly.
>
> No, everything works as it's designed to. However, there are several
> aspects that result in the "wrong" outcome in your case.
>
> It starts with the ping utility that opens a UDP socket to determine
> which local address it should use as source in the ICMP packets. This
> socket may trigger matching trap policies (auto=route) and the data
> (protocol/ports) of this (unused) UDP connection is received in the
> acquire message from the kernel. By default, strongSwan prepends that
> received traffic selector to the list of traffic selectors (to allow
> responders to select the most specific traffic selector, which is what
> happens here).
>
> You can avoid the UDP socket in ping by selecting a specific source IP
> via -I <IP>. You can also prevent strongSwan from adding the traffic
> selectors from the acquire by enabling charon.ignore_acquire_ts. You
> could also make the trap policy more specific (e.g. so it doesn't match
> UDP if that's not intended).
>
> Regards,
> Tobias
>
More information about the Users
mailing list