Mick,

I have and that does seem to work.  We started using the "unique" level because of this issue - http://lists.freebsd.org/pipermail/freebsd-net/2006-May/010550.html.

If using "require" is the only way around this then I guess we will have to look at the trade offs.

Thx

Scott


On 11/07/2013 12:02 AM, Mick wrote:
On Wednesday 06 Nov 2013 23:38:39 Scott Bonar wrote:
I want to direct only traffic going to port 80 and 443 to any host through
the VPN tunnel.

If I have the following setkey config:
spdadd 192.168.0.0/24 192.168.0.0/24 any -P out prio 2001 none;
spdadd 192.168.0.0/24 192.168.0.0/24 any -P in prio 2001 none;
spdadd 192.168.0.0/24 0.0.0.0/0[80] any -P out prio 1001 ipsec
    esp/tunnel/172.21.2.127-211.13.205.150/unique;
spdadd 0.0.0.0/0[80] 192.168.0.0/24 any -P in prio 1001 ipsec
    esp/tunnel/211.13.205.150-172.21.2.127/unique;
spdadd 192.168.0.0/24 0.0.0.0/0[443] any -P out prio 1002 ipsec
    esp/tunnel/172.21.2.127-211.13.205.150/unique;
spdadd 0.0.0.0/0[443] 192.168.0.0/24 any -P in prio 1002 ipsec
    esp/tunnel/211.13.205.150-172.21.2.127/unique;

The tunnel is established just fine, however, when connections are made, in
bound, instead of matching on an existing PH2 policy it negotiates another
PH2 and SA to use.

<snip>
211.13.205.150[4500] 172.21.2.127[4500]
        esp-udp mode=tunnel spi=174195398(0x0a6202c6)
reqid=16385(0x00004001)
        E: 3des-cbc  abc1bf74 0c364ace f86157f2 73ace5b0 de2c4dce 06b7ae6e
        A: hmac-md5  0f763070 ae052973 1fdba09d 5692311a
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Nov  6 16:37:30 2013   current: Nov  6 16:37:52 2013
        diff: 22(s)     hard: 3600(s)   soft: 2880(s)
        last: Nov  6 16:37:31 2013      hard: 0(s)      soft: 0(s)
        current: 2343(bytes)    hard: 0(bytes)  soft: 0(bytes)
        allocated: 3    hard: 0 soft: 0
        sadb_seq=13 pid=3037 refcnt=0
211.13.205.150[4500] 172.21.2.127[4500]
        esp-udp mode=tunnel spi=257709257(0x0f5c54c9)
reqid=16387(0x00004003)
        E: 3des-cbc  8388abda cbf16638 21705724 fa1c56e6 a389a77c e135e311
        A: hmac-md5  cf08acb4 30cccf99 6d480be8 17edc605
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Nov  6 16:37:28 2013   current: Nov  6 16:37:52 2013
        diff: 24(s)     hard: 3600(s)   soft: 2880(s)
        last: Nov  6 16:37:28 2013      hard: 0(s)      soft: 0(s)
        current: 12673(bytes)   hard: 0(bytes)  soft: 0(bytes)
        allocated: 32   hard: 0 soft: 0
        sadb_seq=14 pid=3037 refcnt=0
211.13.205.150[4500] 172.21.2.127[4500]
        esp-udp mode=tunnel spi=220808434(0x0d2944f2)
reqid=16385(0x00004001)
        E: 3des-cbc  bd9bfa97 bea087c0 5fd6680e 2a0dd3ef 3bb8c25f 0c28a246
        A: hmac-md5  47e9ae31 8cb11c63 64ddbb5e 3105de06
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Nov  6 16:37:27 2013   current: Nov  6 16:37:52 2013
        diff: 25(s)     hard: 3600(s)   soft: 2880(s)
        last: Nov  6 16:37:27 2013      hard: 0(s)      soft: 0(s)
        current: 7632(bytes)    hard: 0(bytes)  soft: 0(bytes)
        allocated: 8    hard: 0 soft: 0
        sadb_seq=15 pid=3037 refcnt=0
211.13.205.150[4500] 172.21.2.127[4500]
        esp-udp mode=tunnel spi=161632672(0x09a251a0)
reqid=16387(0x00004003)
        E: 3des-cbc  581a0415 d782766c ac446964 cf2244a9 9efa0fe8 42a42cb8
        A: hmac-md5  770ded16 24619c4d 62244735 cdb342ef
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Nov  6 16:37:23 2013   current: Nov  6 16:37:52 2013
        diff: 29(s)     hard: 3600(s)   soft: 2880(s)
        last: Nov  6 16:37:24 2013      hard: 0(s)      soft: 0(s)
        current: 24945(bytes)   hard: 0(bytes)  soft: 0(bytes)
        allocated: 66   hard: 0 soft: 0
        sadb_seq=16 pid=3037 refcnt=0
211.13.205.150[4500] 172.21.2.127[4500]
        esp-udp mode=tunnel spi=81151491(0x04d64603)
reqid=16385(0x00004001) E: 3des-cbc  e55a99b1 6ed605b6 af65514c 294f3821
4d80e4f9 311735fb A: hmac-md5  cf9bbc07 05c34373 738f76bd 5645b471
        seq=0x00000000 replay=4 flags=0x00000000 state=mature
        created: Nov  6 16:21:19 2013   current: Nov  6 16:37:52 2013
        diff: 993(s)    hard: 3600(s)   soft: 2880(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=3037 refcnt=0


If I do only one port, i.e. 80, I don't see this behavior.
spdadd 192.168.0.0/24 192.168.0.0/24 any -P out prio 2001 none;
spdadd 192.168.0.0/24 192.168.0.0/24 any -P in prio 2001 none;
spdadd 192.168.0.0/24 0.0.0.0/0[80] any -P out prio 1001 ipsec
    esp/tunnel/172.21.2.127-211.13.205.150/unique;
spdadd 0.0.0.0/0[80] 192.168.0.0/24 any -P in prio 1001 ipsec
    esp/tunnel/211.13.205.150-172.21.2.127/unique;


What am I doing incorrect?
Have you tried "require" instead of "unique" in your SAs for ports [80] and 
[443]?