* - this is an outbound policy (to just get one for each child)
* - routing is not disabled via strongswan.conf
* - the selector is not for a specific protocol/port
+ * - no XFRM interface ID is configured
* - we are in tunnel/BEET mode or install a bypass policy
*/
if (policy->direction == POLICY_OUT && this->install_routes &&
- !policy->sel.proto && !policy->sel.dport && !policy->sel.sport)
+ !policy->sel.proto && !policy->sel.dport && !policy->sel.sport &&
+ !policy->if_id)
{
if (mapping->type == POLICY_PASS ||
(mapping->type == POLICY_IPSEC && ipsec->cfg.mode != MODE_TRANSPORT))
instance, beyond that the value _%unique-dir_ assigns a different unique
interface ID for each CHILD_SA direction (in/out).
+ The daemon will not install routes for CHILD_SAs that have this option set.
+
connections.<conn>.children.<child>.set_mark_in = 0/0x00000000
Netfilter mark applied to packets after the inbound IPsec SA processed them.