[strongSwan-dev] Backward compatibility option for inbound SA/SP marking

Christophe Gouault christophe.gouault at 6wind.com
Thu Aug 24 14:26:27 CEST 2017

2017-08-24 13:50 GMT+02:00 Tobias Brunner <tobias at strongswan.org>:
> Hi Christophe,
>> This would avoid
>> to add new features in stroke/ipsec.conf, while not breaking existing
>> deployments based on stroke.
> Except for your special use case it should not have an effect on
> existing deployments.  With or without VTI devices marking packets
> before decryption, as was necessary before, should still work the same
> even if the SA has no mark set anymore (unless the SA is marked, the
> kernel just ignores the marks on packets, so it doesn't match only
> unmarked packets, to do so requires setting a mark of 0/0xffffffff
> explicitly).
> Therefore, I don't really see the need to change the default or make
> this configurable via ipsec.conf.
> Actually, for somebody to use a recent enough version to get bothered by
> this change a switch to swanclt/vici should be in order anyway.  And
> since the behavior was changed with 5.5.2, which also brought
> swanctl/vici basically on par with starter/stroke (see the changelog
> [1]), there should really be no reason to prefer the old interface.

Hi Tobias,

OK, I surrender ;-)

> There are some control features, like `down-srcip`, `purgeike` or
> `list|resetcounters`, that are not implemented (yet).  But they may
> still be used, if necessary (ideally users would notify us of features
> they still need),

I started using the vici API for monitoring and stats, and I must
admit it is far better suited than stroke to interface with an
external application.

I precisely missed the equivalent for `listcounters` in the vici
interface, so I take the opportunity to notify you officially that its
support would be appreciated :)


More information about the Dev mailing list