[strongSwan-dev] ANNOUNCE: strongswan-4.4.1dr5 with xfrm mark support released

Andreas Steffen andreas.steffen at strongswan.org
Mon Jul 5 11:48:39 CEST 2010


the strongSwan 4.4.1dr5 developers release available from


offers support for XFRM marks in IPsec SAs and IPsec policies
which were recently introduced with the Linux 2.6.34 kernel.
Currently mark configuration is possible for IKEv2 connections
as the following example scenario shows:


In future strongSwan versions mark support will be extended to
IKEv1 as well. It might become possible to set individual marks
for inbound and outbound directions and even separately for
SAs and SPDs:

  mark=              # same mark for inbound/outbound SAs & SPDs

  mark_in=           # same mark for inbound SA & SPD
  mark_out=          # same mark for outbound SA & SPD

  mark_in_sa=        # mark for inbound SA
  mark_out_sa=       # mark for outbound SA
  mark_in_policy=    # mark for inbound SPD
  mark_out_policy=   # mark for outbound SPD

It might also be convenient to automatically set the mangle rules


via the strongSwan updown script.

While testing the xfrm mark functionality two bugs were detected
in the Linux 2.6.34 kernel that were subsequently fixed by the
following two patches:



Best regards


Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

More information about the Dev mailing list