[strongSwan-dev] Backward compatibility option for inbound SA/SP marking

Christophe Gouault christophe.gouault at 6wind.com
Tue Aug 22 17:22:37 CEST 2017

Hi Tobias,

thanks for your answer,

2017-08-21 15:21 GMT+02:00 Tobias Brunner <tobias at strongswan.org>:
> Hi Christophe,
>> As the title states, this patch prevents charon from setting the mark of the
>> inbound IPsec SA, while still marking the SPs and the outbound SA. This
>> behavioral change was done as a workaround for route-based VPN to work, and
>> assumed that it did not break other uses of the mark.
> Could you provide an example where the old behavior is necessary?  Or
> are you just concerned with setups that already have firewall rules for
> inbound traffic in place?  (Which might not be a problem because if no
> mark is set on the SA the kernel does not care if the packet has a mark
> set.)

I had in mind an existing vti use case with IPsec offloading. The
kernel does not need the inbound SA to be marked, but the IPsec
offloading solution benefits from the fact that SPs and SAs reference
their vti through the mark.

But I am aware it is not the general case, that's why I advocate a
configurable behavior.

A patch proposal follows, with a global boolean option in strongswan.conf.

I let the new behavior by default (no inbound SA marking) to avoid
causing trouble to people already exploiting the new behavior. However
note that the documentation and several tests in the testing/
directory still state and assume that the inbound SA is marked.

Best regards,

More information about the Dev mailing list