diff options
| author | Eyal Birger <eyal.birger@gmail.com> | 2017-07-28 12:18:52 +0300 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2017-08-07 14:22:27 +0200 |
| commit | 32e5c49234ce4af2ef375e3f1750fdb90f813905 (patch) | |
| tree | 67f49109d2d7884abbe3a4d74235487754210546 /man/ipsec.conf.5.in | |
| parent | 00498d78a81f1fcd344b1eb13461f1ed4e00bf01 (diff) | |
| download | strongswan-32e5c49234ce4af2ef375e3f1750fdb90f813905.tar.bz2 strongswan-32e5c49234ce4af2ef375e3f1750fdb90f813905.tar.xz | |
child-sa: Allow requesting different unique marks for in/out
When requiring unique flags for CHILD_SAs, allow the configuration to
request different marks for each direction by using the %unique-dir keyword.
This is useful when different marks are desired for each direction but the
number of peers is not predefined.
An example use case is when implementing a site-to-site route-based VPN
without VTI devices.
A use of 0.0.0.0/0 - 0.0.0.0/0 traffic selectors with identical in/out marks
results in outbound traffic being wrongfully matched against the 'fwd'
policy - for which the underlay 'template' does not match - and dropped.
Using different marks for each direction avoids this issue as the 'fwd' policy
uses the 'in' mark will not match outbound traffic.
Closes strongswan/strongswan#78.
Diffstat (limited to 'man/ipsec.conf.5.in')
| -rw-r--r-- | man/ipsec.conf.5.in | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in index fef44ae21..69aeba8cb 100644 --- a/man/ipsec.conf.5.in +++ b/man/ipsec.conf.5.in @@ -1037,7 +1037,10 @@ mask of .B 0xffffffff is assumed. The special value .B %unique -assigns a unique value to each newly created IPsec SA. +assigns a unique value to each newly created IPsec SA. To additionally +make the mark unique for each IPsec SA direction (in/out) the special value +.B %unique-dir +may be used. .TP .BR mark_in " = <value>[/<mask>]" sets an XFRM mark in the inbound IPsec SA and |