According to ipsec.conf(5), mark-in and mark-out override mark. Why allow mark and mark-* at the same time? That seems like an mistake and would be better diagnosed.