[strongSwan-dev] Backward compatibility option for inbound SA/SP marking

Tobias Brunner tobias at strongswan.org
Mon Aug 21 15:21:38 CEST 2017

Hi Christophe,

> As the title states, this patch prevents charon from setting the mark of the
> inbound IPsec SA, while still marking the SPs and the outbound SA. This
> behavioral change was done as a workaround for route-based VPN to work, and
> assumed that it did not break other uses of the mark.

Could you provide an example where the old behavior is necessary?  Or
are you just concerned with setups that already have firewall rules for
inbound traffic in place?  (Which might not be a problem because if no
mark is set on the SA the kernel does not care if the packet has a mark

> 1/ this violates strongSwan's documentation:

So?  We update the docs.

> 2/ this breaks the symmetry and coherency of SA and SP configuration.


> The inbound SA is the only object that does not wear a mark. The mark is
> precisely designed to convey information and to link objects together.

I don't really see it as a link (that's the reqid).  But it makes
configuration easier as marking encrypted inbound traffic is tricky and
should not really be necessary (when do you have duplicate local SPIs?).

> 3/ this changes strongSwan's behavior with no backward compatibility option.

If that behavior is actually required.

> the most flexible solution would be to enable to split mark_in/mark_out into
> mark_in_sa/mark_in_sp/mark_out_sa/mark_out_sp, just like "mark" may today be
> split into "mark_in" and "mark_out".

Go ahead, if you think that's really necessary.  (But please only for


More information about the Dev mailing list