Enable per-CPU CHILD_SAs. Requires trap in start_action. The value encap enables a special type of UDP encapsulation (requires enabling encap for the connection if there is no NAT), where a random source port is used for each outbound per-CPU SA (the destination port for all of them remains 4500). This allows using the port for RSS if the SPI can’t be used. Note that this type of behavior is not standardized and not negotiated. So regardless of whether the option is enabled, inbound per-CPU SAs with UDP-encapsulation always have the source port set to 0 as the peer’s random port is unknown if it has this option enabled.
StrongSwan default: "no"
Declarations
Type
null or one of "yes", "no", "encap"Default
null