Hi Tiago, > I'm trying to restrict the traffic selector to GRE/BGP: > > rightsubnet=%dynamic[gre/bgp]
If the protocol in an IPsec policy is GRE the Linux kernel matches "ports" against the GRE Key (if any). It looks like the kernel matches the source port (leftsubnet) against the upper 16-bit of the key and the destination port (rightsubnet) against the lower 16-bit. > However, if I change the TS to: > > rightsubnet=%dynamic[gre] > auto=route > > BGP (and other GRE-encapsulated traffic) does go through. You could probably also use the above policy with XFRM marks and Netfilter rules to only tunnel specific packets. Regards, Tobias _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
