Hi, the strongSwan 4.4.1dr5 developers release available from
http://download.strongswan.org/strongswan-4.4.1dr5.tar.bz2 offers support for XFRM marks in IPsec SAs and IPsec policies which were recently introduced with the Linux 2.6.34 kernel. Currently mark configuration is possible for IKEv2 connections as the following example scenario shows: http://www.strongswan.org/uml/testresults44dr/ikev2/nat-two-rw-mark/ In future strongSwan versions mark support will be extended to IKEv1 as well. It might become possible to set individual marks for inbound and outbound directions and even separately for SAs and SPDs: mark= # same mark for inbound/outbound SAs & SPDs mark_in= # same mark for inbound SA & SPD mark_out= # same mark for outbound SA & SPD mark_in_sa= # mark for inbound SA mark_out_sa= # mark for outbound SA mark_in_policy= # mark for inbound SPD mark_out_policy= # mark for outbound SPD It might also be convenient to automatically set the mangle rules http://www.strongswan.org/uml/testresults44dr/ikev2/nat-two-rw-mark/console.log via the strongSwan updown script. While testing the xfrm mark functionality two bugs were detected in the Linux 2.6.34 kernel that were subsequently fixed by the following two patches: http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commitdiff;h=4efd7e833591721bec21cc4730a7f6261417840f http://git.kernel.org/?p=linux/kernel/git/davem/net-2.6.git;a=commitdiff;h=44b451f1633896de15d2d52e1a2bd462e80b7814 Best regards Andreas ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Dev mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/dev
