The problem isn't traffic not matching the tunnel, it doesn't even contact the other peer to establish the encrypted tunnel! Anyway I solved using IKEv2: https://lists.strongswan.org/pipermail/users/2012-February/007175.html Cheers, Niccolò