[strongSwan] SS5.1.0 and libipsec, configuration and usage questions

Martin Willi martin at strongswan.org
Wed Jan 8 17:28:35 CET 2014

> Netfilter marks would help me to select connection/SA, but would not
> let me do overlapping traffic selectors?

If you have a distinct mark on a connection, traffic selectors can
overlap. The kernel accepts identical policies if the mark differs.

> conn A
>  left=me
>  right=peer1
>  leftsubnet=
>  rightsubnet=
>  netfilter mark=1

Yes, that should work, the ipsec.conf keyword for Netfilter marks is
"mark", though. With "mark_in" and "mark_out" you can define individual
invound and outbound policy marks. man ipsec.conf for details.

There is even a %reqid option for marks, which dynamically assigns a
mark based on the CHILD_SA reqid. This is useful if you create multiple
instances of the same connection, but would like to assign unique marks
(for road warriors, for example). You then could dynamically create
IPtables rules, for example in the updown script.


More information about the Users mailing list