On 2025-10-03, François RONVAUX <[email protected]> wrote: > I notice that when I create a tunnel between my router and my VPN machine > to encapsulate the traffic of a client, the flow defined is not fully > respected. > > iked.conf on the router : > ikev2 'foo' active esp \ > proto tcp \ > from $CLIENT_IP to any port https \ > local $GATEWAY_IP peer $VPN_IP \ > srcid $GATEWAY_FQDN dstid $VPN_FQDN > > The traffic from the client to any host on Internet is encapsulated even > when the destination port is not https. > Tested by connecting to ports SSH and SMTP to different Internet hosts, > watching the output of : > tcpdump -ne -i enc0 > tcpdump -n -e -ttt -i pflog0 > > I tried to replace https by 443 in the config file but it does not change > the result.
That won't change anything, it just does a simple lookup from services. > Is it my mistake or a bug ? I've had strangeness with port/protocol traffic selectors before (in isakmpd, but it's the same kernel code), I don't recall any fixes. I don't think this is a widely used feature. > If it is a bug, can someone warn the dev ? I can not use the tool sendbug > (SMTP connection blocked at home). sendbug -P > somefile, copy to a machine with a configured email setup, and send to bugs@. or just write an email with information. it all just goes to the bugs@ mailing list. -- Please keep replies on the mailing list.
