> For the flow below, the first selector applies to traffic on to port > 20: > > ikev2 active esp proto tcp \ > from ... port 20 to ... \ > from ... to ... \ > ... > > When the first traffic selector does not specify a port, the port > restriction of any following traffic selectors will not have effect: > > ikev2 active esp proto tcp \ > from ... to ... \ > from ... port 20 to ... \ > ... > > The effect can be seen both with `ipsecctl -s all` and by monitoring > traffic with tcpdump.
I noticed that the general case seem to be that whatever port is specified (or omitted) for the first selector applies to all the following selectors. It means that in the first example, the second traffic selector will be restricted to port 20, just as the second traffic selector in the second example will not have a port restriction.
