[strongSwan-dev] ANNOUNCE: strongswan-4.4.1dr5 with xfrm mark support released

Andreas Steffen andreas.steffen at strongswan.org
Mon Jul 5 11:48:39 CEST 2010 

Hi,

the strongSwan 4.4.1dr5 developers release available from

  http://download.strongswan.org/strongswan-4.4.1dr5.tar.bz2

offers support for XFRM marks in IPsec SAs and IPsec policies
which were recently introduced with the Linux 2.6.34 kernel.
Currently mark configuration is possible for IKEv2 connections
as the following example scenario shows:

http://www.strongswan.org/uml/testresults44dr/ikev2/nat-two-rw-mark/

In future strongSwan versions mark support will be extended to
IKEv1 as well. It might become possible to set individual marks
for inbound and outbound directions and even separately for
SAs and SPDs:

  mark=              # same mark for inbound/outbound SAs & SPDs

  mark_in=           # same mark for inbound SA & SPD
  mark_out=          # same mark for outbound SA & SPD

  mark_in_sa=        # mark for inbound SA
  mark_out_sa=       # mark for outbound SA
  mark_in_policy=    # mark for inbound SPD
  mark_out_policy=   # mark for outbound SPD

It might also be convenient to automatically set the mangle rules

http://www.strongswan.org/uml/testresults44dr/ikev2/nat-two-rw-mark/console.log

via the strongSwan updown script.

While testing the xfrm mark functionality two bugs were detected
in the Linux 2.6.34 kernel that were subsequently fixed by the
following two patches:

http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commitdiff;h=4efd7e833591721bec21cc4730a7f6261417840f

http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commitdiff;h=44b451f1633896de15d2d52e1a2bd462e80b7814

Best regards

Andreas

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Dev mailing list