Hi Christophe, > This would avoid > to add new features in stroke/ipsec.conf, while not breaking existing > deployments based on stroke.
Except for your special use case it should not have an effect on existing deployments. With or without VTI devices marking packets before decryption, as was necessary before, should still work the same even if the SA has no mark set anymore (unless the SA is marked, the kernel just ignores the marks on packets, so it doesn't match only unmarked packets, to do so requires setting a mark of 0/0xffffffff explicitly). Therefore, I don't really see the need to change the default or make this configurable via ipsec.conf. Actually, for somebody to use a recent enough version to get bothered by this change a switch to swanclt/vici should be in order anyway. And since the behavior was changed with 5.5.2, which also brought swanctl/vici basically on par with starter/stroke (see the changelog [1]), there should really be no reason to prefer the old interface. There are some control features, like `down-srcip`, `purgeike` or `list|resetcounters`, that are not implemented (yet). But they may still be used, if necessary (ideally users would notify us of features they still need), when loading the stroke plugin even if the configuration is done via swanctl/vici (and some can even be replicated via vici). Regards, Tobias [1] https://wiki.strongswan.org/versions/64
