[strongSwan-dev] Backward compatibility option for inbound SA/SP marking

Tobias Brunner tobias at strongswan.org
Thu Aug 24 13:50:19 CEST 2017

Hi Christophe,

> This would avoid
> to add new features in stroke/ipsec.conf, while not breaking existing
> deployments based on stroke.

Except for your special use case it should not have an effect on
existing deployments.  With or without VTI devices marking packets
before decryption, as was necessary before, should still work the same
even if the SA has no mark set anymore (unless the SA is marked, the
kernel just ignores the marks on packets, so it doesn't match only
unmarked packets, to do so requires setting a mark of 0/0xffffffff

Therefore, I don't really see the need to change the default or make
this configurable via ipsec.conf.

Actually, for somebody to use a recent enough version to get bothered by
this change a switch to swanclt/vici should be in order anyway.  And
since the behavior was changed with 5.5.2, which also brought
swanctl/vici basically on par with starter/stroke (see the changelog
[1]), there should really be no reason to prefer the old interface.

There are some control features, like `down-srcip`, `purgeike` or
`list|resetcounters`, that are not implemented (yet).  But they may
still be used, if necessary (ideally users would notify us of features
they still need), when loading the stroke plugin even if the
configuration is done via swanctl/vici (and some can even be replicated
via vici).


[1] https://wiki.strongswan.org/versions/64

More information about the Dev mailing list