[Swan] mark in route-based VPN
Paul Wouters
paul at nohats.ca
Thu Feb 9 21:05:40 UTC 2017
It should be visible in "ip xfrm pol".
The VTI devices handle the marking for you. If not using those, you need
to use your own iptables rules to mark the traffic appropriately. Any traffic that matched all IPsec traffic selectors but not the mark, will not be encrypted and leaves the machine in the clear.
Sent from my iPhone
> On Feb 9, 2017, at 15:42, Xinwei Hong <xhong at skytap.com> wrote:
>
> Thanks. One follow-up question: after I setup a route-based VPN, I don't see any rule with that mark when I do "iptables-save". Am I supposed to find any entry in the iptables?
>
> Thanks,
> Xinwei
>
>> On Thu, Feb 9, 2017 at 12:26 PM, Paul Wouters <paul at nohats.ca> wrote:
>> On Thu, 9 Feb 2017, Xinwei Hong wrote:
>>
>>> mark=
>>> The mark number to use for this connection's IPsec SA policy. It will be used for all instances as well.
>>>
>>> in the example, we have:
>>>
>>> mark=5/0xffffffff
>>> How are those numbers used? What do 5 and 0xffffffff mean here? What is the guidance to select a number for it? e.g.
>>> when there are multiple VTIs configured. Does this mark have anything to do with mark in iptables?
>>
>> Its the mark number and mask. Yes these are the same as the mark with
>> iptables where you can use it.
>>
>> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170209/9a582cb0/attachment.html>
More information about the Swan
mailing list