PFKEYv2 has the general convention that SRC=from-address and
DST=to-address. This means that an incoming packet has
SRC==peer-address and DST==local-address.
However, in IKED I've noticed:
/* local address */
bzero(&sa_local, sizeof(sa_local));
sa_local.sadb_address_exttype = SADB_EXT_ADDRESS_SRC;
sa_local.sadb_address_len =
(sizeof(sa_local) + ROUNDUP(slocal.ss_len)) / 8;
/* peer address */
bzero(&sa_peer, sizeof(sa_peer));
sa_peer.sadb_address_exttype = SADB_EXT_ADDRESS_DST;
sa_peer.sadb_address_len =
(sizeof(sa_peer) + ROUNDUP(speer.ss_len)) / 8;
i.e., a flow from SRC-to-DST ignores of the direction and always has
SRC==local and DST=peer/remote. This seems wrong.
With libreswan I ended up mimicing this vis:
case KERNEL_POLICY_DIR_INBOUND:
/* XXX: notice how DST gets SRC's value et.al. */
put_sadb_address(&req, SADB_EXT_ADDRESS_DST,
kernel_policy->src.host);
put_sadb_address(&req, SADB_EXT_ADDRESS_SRC,
kernel_policy->dst.host);
break;
