Trap policies on Windows trigger also after tunnel creation, rendering them unusable

[miolad]

Responder:

• OS: Debian 11.2
• Kernel version: 5.10
• strongSwan version: 5.9.4

Initiator:

• OS: Windows 11 21H2 22000.376
• strongSwan version: crosscompiled 5.9.4 (applied this patch)
• reproducible on latest version: yes

Describe the bug Trap policies installed by kernel-wfp on Windows initiators apparently have higher priority than IPsec filters, thus they get triggered even after the installation of the main IPsec filters. This means that communication over the secure channel cannot happen as all packets get dropped by the trap filter.

Note that this is not a new bug.

To Reproduce Steps to reproduce the behavior:

1. Setup Windows initiator with start_action = trap
2. On the initiator, ping the remote_ts address to open the tunnel
3. Every packet triggers a new acquisition of the CHILD_SA

Expected behavior After the tunnel has been opened, packets that match the TS should not be dropped by the trap filter but rather go through the IPsec pipeline. Only one CHILD_SA should be installed.

Logs/Backtraces For my testing I'm using this swanctl.conf configuration for the initiator:

connections {
    host-host-ike {
        remote_addrs = <responder pub ip>

        local {
            auth = pubkey
            certs = dave_cert.pem
            id = dave@strongswan.org
        }
        remote {
            auth = pubkey
        }

        children {
            host-host-ipsec {
                remote_ts = 192.168.1.243
                start_action = trap
            }
        }

        version = 2
        mobike = no
        reauth_time = 10800
    }
}

(Both the initiator and the responder are behind NAT)

Output from charon-svc.exe after ping 192.168.1.243:

PS C:\strongSwan> .\charon-svc.exe
00[DMN] Starting IKE service charon-svc (strongSwan 5.9.4, Windows Client 6.2.9200 (SP 0.0)
00[LIB] loaded plugins: charon-svc nonce x509 pubkey pkcs1 pem openssl kernel-wfp kernel-iph socket-win vici
00[JOB] spawning 16 worker threads
00[DMN] executing start script 'swanctl-load' (swanctl --load-all)
no files found matching 'swanctl\conf.d/*.conf'
16[CFG] loaded certificate 'C=IT, O=strongSwan, CN=carol@strongswan.org'
07[CFG] loaded certificate 'C=IT, O=strongSwan, CN=dave@strongswan.org'
11[CFG] loaded certificate 'C=IT, O=strongSwan, CN=strongSwan Root Ca'
15[CFG] loaded RSA private key
09[CFG] loaded RSA private key
12[CFG] added vici connection: host-host-ike
12[CFG] installing 'host-host-ipsec'
00[DMN] swanctl-load: loaded certificate from 'swanctl\x509\carol_cert.pem'
00[DMN] swanctl-load: loaded certificate from 'swanctl\x509\dave_cert.pem'
00[DMN] swanctl-load: loaded certificate from 'swanctl\x509ca\ca_cert.pem'
00[DMN] swanctl-load: loaded RSA key from 'swanctl\private\carol_key.pem'
00[DMN] swanctl-load: loaded RSA key from 'swanctl\private\dave_key.pem'
00[DMN] swanctl-load: no authorities found, 0 unloaded
00[DMN] swanctl-load: no pools found, 0 unloaded
00[DMN] swanctl-load: loaded connection 'host-host-ike'
00[DMN] swanctl-load: successfully loaded 1 connections, 0 unloaded
18[KNL] creating acquire job for policy 192.168.43.81/32[icmp/8] === 192.168.1.243/32[icmp/0] with reqid {1}
03[IKE] initiating IKE_SA host-host-ike[1] to <responder pub ip>
03[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
03[NET] sending packet: from 192.168.43.81[49952] to <responder pub ip>[500] (852 bytes)
10[NET] received packet: from <responder pub ip>[500] to 192.168.43.81[49952] (305 bytes)
10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
10[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
10[IKE] local host is behind NAT, sending keep alives
10[IKE] remote host is behind NAT
10[IKE] received cert request for "C=IT, O=strongSwan, CN=strongSwan Root Ca"
10[IKE] sending cert request for "C=IT, O=strongSwan, CN=strongSwan Root Ca"
10[IKE] authentication of 'dave@strongswan.org' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
10[IKE] sending end entity cert "C=IT, O=strongSwan, CN=dave@strongswan.org"
10[IKE] establishing CHILD_SA host-host-ipsec{2} reqid 1
10[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
10[ENC] splitting IKE message (1888 bytes) into 2 fragments
10[ENC] generating IKE_AUTH request 1 [ EF(1/2) ]
10[ENC] generating IKE_AUTH request 1 [ EF(2/2) ]
10[NET] sending packet: from 192.168.43.81[49953] to <responder pub ip>[4500] (1236 bytes)
10[NET] sending packet: from 192.168.43.81[49953] to <responder pub ip>[4500] (724 bytes)
07[NET] received packet: from <responder pub ip>[4500] to 192.168.43.81[49953] (1236 bytes)
07[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
07[ENC] received fragment #1 of 2, waiting for complete IKE message
09[NET] received packet: from <responder pub ip>[4500] to 192.168.43.81[49953] (596 bytes)
09[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
09[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1760 bytes)
09[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) ]
09[IKE] received end entity cert "C=IT, O=strongSwan, CN=carol@strongswan.org"
09[CFG]   using trusted ca certificate "C=IT, O=strongSwan, CN=strongSwan Root Ca"
09[CFG]   reached self-signed root ca with a path length of 0
09[CFG]   using trusted certificate "C=IT, O=strongSwan, CN=carol@strongswan.org"
09[IKE] authentication of 'carol@strongswan.org' with RSA_EMSA_PKCS1_SHA2_256 successful
09[IKE] IKE_SA host-host-ike[1] established between 192.168.43.81[dave@strongswan.org]...<responder pub ip>[carol@strongswan.org]
09[IKE] scheduling reauthentication in 10759s
09[IKE] maximum IKE_SA lifetime 11839s
09[CFG] selected proposal: ESP:AES_GCM_16_128
09[IKE] CHILD_SA host-host-ipsec{2} established with SPIs c9250ce6_i ce7bd593_o and TS 192.168.43.81/32 === 192.168.1.243/32
09[IKE] received AUTH_LIFETIME of 10499s, scheduling reauthentication in 9419s
18[KNL] creating acquire job for policy 192.168.43.81/32[icmp/8] === 192.168.1.243/32[icmp/0] with reqid {1}
08[IKE] establishing CHILD_SA host-host-ipsec{3} reqid 1
08[ENC] generating CREATE_CHILD_SA request 2 [ SA No TSi TSr ]
08[NET] sending packet: from 192.168.43.81[49953] to <responder pub ip>[4500] (336 bytes)
04[NET] received packet: from <responder pub ip>[4500] to 192.168.43.81[49953] (192 bytes)
04[ENC] parsed CREATE_CHILD_SA response 2 [ SA No TSi TSr ]
04[CFG] selected proposal: ESP:AES_GCM_16_128
04[IKE] CHILD_SA host-host-ipsec{3} established with SPIs c967fe48_i cae00955_o and TS 192.168.43.81/32 === 192.168.1.243/32
18[KNL] creating acquire job for policy 192.168.43.81/32[icmp/8] === 192.168.1.243/32[icmp/0] with reqid {1}
13[IKE] establishing CHILD_SA host-host-ipsec{4} reqid 1
13[ENC] generating CREATE_CHILD_SA request 3 [ SA No TSi TSr ]
13[NET] sending packet: from 192.168.43.81[49953] to <responder pub ip>[4500] (336 bytes)
12[NET] received packet: from <responder pub ip>[4500] to 192.168.43.81[49953] (192 bytes)
12[ENC] parsed CREATE_CHILD_SA response 3 [ SA No TSi TSr ]
12[CFG] selected proposal: ESP:AES_GCM_16_128
12[IKE] CHILD_SA host-host-ipsec{4} established with SPIs c89f2a1a_i c7218e68_o and TS 192.168.43.81/32 === 192.168.1.243/32
18[KNL] creating acquire job for policy 192.168.43.81/32[icmp/8] === 192.168.1.243/32[icmp/0] with reqid {1}
11[IKE] establishing CHILD_SA host-host-ipsec{5} reqid 1
11[ENC] generating CREATE_CHILD_SA request 4 [ SA No TSi TSr ]
11[NET] sending packet: from 192.168.43.81[49953] to <responder pub ip>[4500] (336 bytes)
14[NET] received packet: from <responder pub ip>[4500] to 192.168.43.81[49953] (192 bytes)
14[ENC] parsed CREATE_CHILD_SA response 4 [ SA No TSi TSr ]
14[CFG] selected proposal: ESP:AES_GCM_16_128
14[IKE] CHILD_SA host-host-ipsec{5} established with SPIs c8e21b80_i c0bac50f_o and TS 192.168.43.81/32 === 192.168.1.243/32

PS C:\strongSwan> .\swanctl.exe -l
host-host-ike: #1, ESTABLISHED, IKEv2, 39d9b5588f2af5ed_i* 9b1382cd647d66a0_r
  local  'dave@strongswan.org' @ 192.168.43.81[49953]
  remote 'carol@strongswan.org' @ <responder pub ip>[4500]
  AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
  established 9s ago, reauth in 9410s
  host-host-ipsec: #2, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-128
    installed 9s ago, rekeying in 3387s, expires in 3951s
    in  c9250ce6,      0 bytes,     0 packets
    out ce7bd593,      0 bytes,     0 packets
    local  192.168.43.81/32
    remote 192.168.1.243/32
  host-host-ipsec: #3, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-128
    installed 9s ago, rekeying in 3388s, expires in 3952s
    in  c967fe48,      0 bytes,     0 packets
    out cae00955,      0 bytes,     0 packets
    local  192.168.43.81/32
    remote 192.168.1.243/32
  host-host-ipsec: #4, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-128
    installed 8s ago, rekeying in 3389s, expires in 3953s
    in  c89f2a1a,      0 bytes,     0 packets
    out c7218e68,      0 bytes,     0 packets
    local  192.168.43.81/32
    remote 192.168.1.243/32
  host-host-ipsec: #5, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-128
    installed 7s ago, rekeying in 3390s, expires in 3954s
    in  c8e21b80,      0 bytes,     0 packets
    out c0bac50f,      0 bytes,     0 packets
    local  192.168.43.81/32
    remote 192.168.1.243/32

Things I've tried

• Change the weight of every WFP filter for IPsec SAs to a fixed higher value than that used by traps -> no change
• Move trap filters to the FWPM_LAYER_OUTBOUND_IPPACKET_V4/V6 layers; quoting the official docs for WFP, at this layer Any IPsec authentication and encryption has already occurred. -> no change
• Connect using the Windows native "agile" IKEv2 client after letting strongSwan install traps -> the VPN client successfully connects but traffic is still dropped by the trap before it can be transformed by IPsec. This I think confirms that the problem is not in how IPsec policies are installed (maybe?)
• Uninstall trap policies after adding the corresponding SAs, and reinstalling them after the SAs are dropped -> this works, of course, but is very ugly and probably not suitable for every situation

[kcchenkd]

@miolad Sorry to hijack your thread. I am trying to crosscompiled StrongSwan for Windows 10, but see the following errors when launching charon-svc.exe. Looks like you got further than me , so I am wondering what was your steps and parameters for building Windows StrongSwan.

It will be greatly appreciated if you can provide some suggestions on my discussion post (https://github.com/strongswan/strongswan/discussions/1204)

C:\strongswan\dist_3\usr\local\bin>charon-svc.exe 00[DMN] Starting IKE service charon-svc (strongSwan 5.9.7, Windows Client 6.2.9200 (SP 0.0) 00[KNL] registering WFP provider failed: 0x00000005 00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon-svc' has unmet dependency: CUSTOM:socket 00[LIB] feature CUSTOM:libcharon in critical plugin 'charon-svc' has unmet dependency: CUSTOM:libcharon-receiver 00[LIB] failed to load 2 critical plugin features

Thanks in advance!

[maverictopgun72]

Responder:

• OS: Debian 11.2
• Kernel version: 5.10
• strongSwan version: 5.9.4

Initiator:

• OS: Windows 11 21H2 22000.376
• strongSwan version: crosscompiled 5.9.4 (applied this patch)
• reproducible on latest version: yes

Describe the bug Trap policies installed by kernel-wfp on Windows initiators apparently have higher priority than IPsec filters, thus they get triggered even after the installation of the main IPsec filters. This means that communication over the secure channel cannot happen as all packets get dropped by the trap filter.

Note that this is not a new bug.

To Reproduce Steps to reproduce the behavior:

1. Setup Windows initiator with start_action = trap
2. On the initiator, ping the remote_ts address to open the tunnel
3. Every packet triggers a new acquisition of the CHILD_SA

Expected behavior After the tunnel has been opened, packets that match the TS should not be dropped by the trap filter but rather go through the IPsec pipeline. Only one CHILD_SA should be installed.

Logs/Backtraces For my testing I'm using this swanctl.conf configuration for the initiator:

connections {
    host-host-ike {
        remote_addrs = <responder pub ip>

        local {
            auth = pubkey
            certs = dave_cert.pem
            id = dave@strongswan.org
        }
        remote {
            auth = pubkey
        }

        children {
            host-host-ipsec {
                remote_ts = 192.168.1.243
                start_action = trap
            }
        }

        version = 2
        mobike = no
        reauth_time = 10800
    }
}

(Both the initiator and the responder are behind NAT)

Output from charon-svc.exe after ping 192.168.1.243:

PS C:\strongSwan> .\charon-svc.exe
00[DMN] Starting IKE service charon-svc (strongSwan 5.9.4, Windows Client 6.2.9200 (SP 0.0)
00[LIB] loaded plugins: charon-svc nonce x509 pubkey pkcs1 pem openssl kernel-wfp kernel-iph socket-win vici
00[JOB] spawning 16 worker threads
00[DMN] executing start script 'swanctl-load' (swanctl --load-all)
no files found matching 'swanctl\conf.d/*.conf'
16[CFG] loaded certificate 'C=IT, O=strongSwan, CN=carol@strongswan.org'
07[CFG] loaded certificate 'C=IT, O=strongSwan, CN=dave@strongswan.org'
11[CFG] loaded certificate 'C=IT, O=strongSwan, CN=strongSwan Root Ca'
15[CFG] loaded RSA private key
09[CFG] loaded RSA private key
12[CFG] added vici connection: host-host-ike
12[CFG] installing 'host-host-ipsec'
00[DMN] swanctl-load: loaded certificate from 'swanctl\x509\carol_cert.pem'
00[DMN] swanctl-load: loaded certificate from 'swanctl\x509\dave_cert.pem'
00[DMN] swanctl-load: loaded certificate from 'swanctl\x509ca\ca_cert.pem'
00[DMN] swanctl-load: loaded RSA key from 'swanctl\private\carol_key.pem'
00[DMN] swanctl-load: loaded RSA key from 'swanctl\private\dave_key.pem'
00[DMN] swanctl-load: no authorities found, 0 unloaded
00[DMN] swanctl-load: no pools found, 0 unloaded
00[DMN] swanctl-load: loaded connection 'host-host-ike'
00[DMN] swanctl-load: successfully loaded 1 connections, 0 unloaded
18[KNL] creating acquire job for policy 192.168.43.81/32[icmp/8] === 192.168.1.243/32[icmp/0] with reqid {1}
03[IKE] initiating IKE_SA host-host-ike[1] to <responder pub ip>
03[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
03[NET] sending packet: from 192.168.43.81[49952] to <responder pub ip>[500] (852 bytes)
10[NET] received packet: from <responder pub ip>[500] to 192.168.43.81[49952] (305 bytes)
10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
10[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
10[IKE] local host is behind NAT, sending keep alives
10[IKE] remote host is behind NAT
10[IKE] received cert request for "C=IT, O=strongSwan, CN=strongSwan Root Ca"
10[IKE] sending cert request for "C=IT, O=strongSwan, CN=strongSwan Root Ca"
10[IKE] authentication of 'dave@strongswan.org' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
10[IKE] sending end entity cert "C=IT, O=strongSwan, CN=dave@strongswan.org"
10[IKE] establishing CHILD_SA host-host-ipsec{2} reqid 1
10[ENC] generating IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
10[ENC] splitting IKE message (1888 bytes) into 2 fragments
10[ENC] generating IKE_AUTH request 1 [ EF(1/2) ]
10[ENC] generating IKE_AUTH request 1 [ EF(2/2) ]
10[NET] sending packet: from 192.168.43.81[49953] to <responder pub ip>[4500] (1236 bytes)
10[NET] sending packet: from 192.168.43.81[49953] to <responder pub ip>[4500] (724 bytes)
07[NET] received packet: from <responder pub ip>[4500] to 192.168.43.81[49953] (1236 bytes)
07[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
07[ENC] received fragment #1 of 2, waiting for complete IKE message
09[NET] received packet: from <responder pub ip>[4500] to 192.168.43.81[49953] (596 bytes)
09[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
09[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1760 bytes)
09[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) ]
09[IKE] received end entity cert "C=IT, O=strongSwan, CN=carol@strongswan.org"
09[CFG]   using trusted ca certificate "C=IT, O=strongSwan, CN=strongSwan Root Ca"
09[CFG]   reached self-signed root ca with a path length of 0
09[CFG]   using trusted certificate "C=IT, O=strongSwan, CN=carol@strongswan.org"
09[IKE] authentication of 'carol@strongswan.org' with RSA_EMSA_PKCS1_SHA2_256 successful
09[IKE] IKE_SA host-host-ike[1] established between 192.168.43.81[dave@strongswan.org]...<responder pub ip>[carol@strongswan.org]
09[IKE] scheduling reauthentication in 10759s
09[IKE] maximum IKE_SA lifetime 11839s
09[CFG] selected proposal: ESP:AES_GCM_16_128
09[IKE] CHILD_SA host-host-ipsec{2} established with SPIs c9250ce6_i ce7bd593_o and TS 192.168.43.81/32 === 192.168.1.243/32
09[IKE] received AUTH_LIFETIME of 10499s, scheduling reauthentication in 9419s
18[KNL] creating acquire job for policy 192.168.43.81/32[icmp/8] === 192.168.1.243/32[icmp/0] with reqid {1}
08[IKE] establishing CHILD_SA host-host-ipsec{3} reqid 1
08[ENC] generating CREATE_CHILD_SA request 2 [ SA No TSi TSr ]
08[NET] sending packet: from 192.168.43.81[49953] to <responder pub ip>[4500] (336 bytes)
04[NET] received packet: from <responder pub ip>[4500] to 192.168.43.81[49953] (192 bytes)
04[ENC] parsed CREATE_CHILD_SA response 2 [ SA No TSi TSr ]
04[CFG] selected proposal: ESP:AES_GCM_16_128
04[IKE] CHILD_SA host-host-ipsec{3} established with SPIs c967fe48_i cae00955_o and TS 192.168.43.81/32 === 192.168.1.243/32
18[KNL] creating acquire job for policy 192.168.43.81/32[icmp/8] === 192.168.1.243/32[icmp/0] with reqid {1}
13[IKE] establishing CHILD_SA host-host-ipsec{4} reqid 1
13[ENC] generating CREATE_CHILD_SA request 3 [ SA No TSi TSr ]
13[NET] sending packet: from 192.168.43.81[49953] to <responder pub ip>[4500] (336 bytes)
12[NET] received packet: from <responder pub ip>[4500] to 192.168.43.81[49953] (192 bytes)
12[ENC] parsed CREATE_CHILD_SA response 3 [ SA No TSi TSr ]
12[CFG] selected proposal: ESP:AES_GCM_16_128
12[IKE] CHILD_SA host-host-ipsec{4} established with SPIs c89f2a1a_i c7218e68_o and TS 192.168.43.81/32 === 192.168.1.243/32
18[KNL] creating acquire job for policy 192.168.43.81/32[icmp/8] === 192.168.1.243/32[icmp/0] with reqid {1}
11[IKE] establishing CHILD_SA host-host-ipsec{5} reqid 1
11[ENC] generating CREATE_CHILD_SA request 4 [ SA No TSi TSr ]
11[NET] sending packet: from 192.168.43.81[49953] to <responder pub ip>[4500] (336 bytes)
14[NET] received packet: from <responder pub ip>[4500] to 192.168.43.81[49953] (192 bytes)
14[ENC] parsed CREATE_CHILD_SA response 4 [ SA No TSi TSr ]
14[CFG] selected proposal: ESP:AES_GCM_16_128
14[IKE] CHILD_SA host-host-ipsec{5} established with SPIs c8e21b80_i c0bac50f_o and TS 192.168.43.81/32 === 192.168.1.243/32

PS C:\strongSwan> .\swanctl.exe -l
host-host-ike: #1, ESTABLISHED, IKEv2, 39d9b5588f2af5ed_i* 9b1382cd647d66a0_r
  local  'dave@strongswan.org' @ 192.168.43.81[49953]
  remote 'carol@strongswan.org' @ <responder pub ip>[4500]
  AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
  established 9s ago, reauth in 9410s
  host-host-ipsec: #2, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-128
    installed 9s ago, rekeying in 3387s, expires in 3951s
    in  c9250ce6,      0 bytes,     0 packets
    out ce7bd593,      0 bytes,     0 packets
    local  192.168.43.81/32
    remote 192.168.1.243/32
  host-host-ipsec: #3, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-128
    installed 9s ago, rekeying in 3388s, expires in 3952s
    in  c967fe48,      0 bytes,     0 packets
    out cae00955,      0 bytes,     0 packets
    local  192.168.43.81/32
    remote 192.168.1.243/32
  host-host-ipsec: #4, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-128
    installed 8s ago, rekeying in 3389s, expires in 3953s
    in  c89f2a1a,      0 bytes,     0 packets
    out c7218e68,      0 bytes,     0 packets
    local  192.168.43.81/32
    remote 192.168.1.243/32
  host-host-ipsec: #5, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-128
    installed 7s ago, rekeying in 3390s, expires in 3954s
    in  c8e21b80,      0 bytes,     0 packets
    out c0bac50f,      0 bytes,     0 packets
    local  192.168.43.81/32
    remote 192.168.1.243/32

Things I've tried

• Change the weight of every WFP filter for IPsec SAs to a fixed higher value than that used by traps -> no change
• Move trap filters to the FWPM_LAYER_OUTBOUND_IPPACKET_V4/V6 layers; quoting the official docs for WFP, at this layer Any IPsec authentication and encryption has already occurred. -> no change
• Connect using the Windows native "agile" IKEv2 client after letting strongSwan install traps -> the VPN client successfully connects but traffic is still dropped by the trap before it can be transformed by IPsec. This I think confirms that the problem is not in how IPsec policies are installed (maybe?)
• Uninstall trap policies after adding the corresponding SAs, and reinstalling them after the SAs are dropped -> this works, of course, but is very ugly and probably not suitable for every situation