services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.icmp

Whether to forward certain ICMP error messages even if their source IP doesn't match the negotiated IPsec policies.

ICMP error messages, such as Destination Unreachable, Time Exceeded or Fragmentation Needed, may be generated by a host whose IP address isn't included in the negotiated traffic selectors and therefore doesn't match the IPsec policies. If this option is enabled and the kernel supports it, such packets may still be forwarded. As ICMP errors contain parts of the IP packet that triggered them, the kernel will base its decision on a reverse policy lookup using that IP header.

StrongSwan default: false.