services.strongswan-swanctl.swanctl.connections.<name>.children.<name>.per_cpu_sas
Enable per-CPU CHILD_SAs. Requires trap in start_action.
The value encap enables a special type of UDP encapsulation
(requires enabling encap for the connection if there is no NAT),
where a random source port is used for each outbound per-CPU SA
(the destination port for all of them remains 4500). This allows
using the port for RSS if the SPI can’t be used. Note that this type
of behavior is not standardized and not negotiated. So regardless
of whether the option is enabled, inbound per-CPU SAs
with UDP-encapsulation always have the source port set to 0
as the peer’s random port is unknown if it has this option enabled.
StrongSwan default: "no"
- Type
null or one of "yes", "no", "encap"- Default
null- Declared
- <nixpkgs/nixos/modules/services/networking/strongswan-swanctl/module.nix>