Am Dienstag, 28. Juli 2020 20:25 CEST, schrieb Antony Antony <[email protected]>: > ipsec-interface=0 would translate to > > ip link add ipsec0 type xfrm dev enp0s5 if_id 0 > > when I started adding xfrmi I wasn't sure xfrm if_id 0 would work properly. > if_id is a lookup key to find policy and state. I wonder if 0 would mean > also a policy with no xfrmi if_id. > > xfrm if_id 0 was confusing to me. I decided ipsec1 to start with. May be > time to review it while xfrmi is still expirimental. > > and also to avoid confusion from klips.
I think the problem with if_id 0 could be the fwmark that is used to route the encrypted packets on the base interface. 100: from all to 10.0.12.2 fwmark 0x1 lookup 50 With fwmark 0x0 all unmarked traffic to the destination would go through the base interface instead of the ipsec interface. But ipsec-interface=0 for ipsec0 would be very useful. All our customers use ipsec0 for the first ipsec device, so the change from klips to xfrmi would either confusing for them or a technical problem that we have to solve. At the moment I test patching libreswan to map if_id to device name if_id-1, which works properly. But the next problem is that we use the lower 24 bit fwmarks for our firewall rule set. The upper 8 bit was reserved for ipsec (saref) long time ago. So the next problem is that actual the fwmark is not configurable and I have also to patch either libreswan or overwork our complete rule set to reserve the lower bits for ipsec devices. Maybe a configurable minimal fwmark could be a nice feature. Wolfgang _______________________________________________ Swan mailing list [email protected] https://lists.libreswan.org/mailman/listinfo/swan
