Hi Fred, > When the remote peer address changes, > strongswan correctly processes the XFRM_MSG_MAPPING message, and updates > the xfrm SA and SP in the Linux kernel, except the traffic selector.
Yes, updating that selector was, in fact, missing in the responsible function. I pushed a potential fix to the kernel-netlink-update-sel branch of our repository [1] (only compile tested). Let me know if that works for you. Regards, Tobias [1] https://git.strongswan.org/?p=strongswan.git;a=shortlog;h=refs/heads/kernel-netlink-update-sel
