On Thu, 3 Dec 2015, Sébastien Lefevre wrote:
Marking is indeed useful here to ensure that default packets are not matching the policy, which was my initial problem. In my updown, instead of marking packets with mangle, I still use my old approach of setting narrower policies:
Ahh I see. Of course manually adding/removing XFRM rules is not recommended because pluto is not aware of those and it keeps its on list of what it thinks is in the kernel.
In our VPN concentrator model, we expose a single private IP address specific to each tunnel. So based on this specific IP, we can select the tunnel to use. This approach does not block packets if the VPN is not up (they'll be routed through the default gateway), so this is still far from perfect.
Right. So your use case would be fixed with leftpolicynets=a.b.c.d/32 and rightpolicynets=0.0.0.0/0 Paul _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
