It should be visible in "ip xfrm pol". The VTI devices handle the marking for you. If not using those, you need to use your own iptables rules to mark the traffic appropriately. Any traffic that matched all IPsec traffic selectors but not the mark, will not be encrypted and leaves the machine in the clear.
Sent from my iPhone > On Feb 9, 2017, at 15:42, Xinwei Hong <[email protected]> wrote: > > Thanks. One follow-up question: after I setup a route-based VPN, I don't see > any rule with that mark when I do "iptables-save". Am I supposed to find any > entry in the iptables? > > Thanks, > Xinwei > >> On Thu, Feb 9, 2017 at 12:26 PM, Paul Wouters <[email protected]> wrote: >> On Thu, 9 Feb 2017, Xinwei Hong wrote: >> >>> mark= >>> The mark number to use for this connection's IPsec SA policy. It will be >>> used for all instances as well. >>> >>> in the example, we have: >>> >>> mark=5/0xffffffff >>> How are those numbers used? What do 5 and 0xffffffff mean here? What is the >>> guidance to select a number for it? e.g. >>> when there are multiple VTIs configured. Does this mark have anything to do >>> with mark in iptables? >> >> Its the mark number and mask. Yes these are the same as the mark with >> iptables where you can use it. >> >> Paul >
_______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
