[Swan] No ipsec0 device with XFRMi

Wolfgang Nothdurft wolfgang at linogate.de
Mon Aug 10 08:41:35 UTC 2020

Am 30.07.20 um 07:57 schrieb Antony Antony:

> Can you can help create a testcase with fwmark and xfrmi?  you are using
> marks with KLIPS? so it is not really configured in ipsec.conf? I wonder how
> that would translate one-to-one.

Attached you can find an simplified testcase that corresponds 
approximately to what we do.

In this case marking http traffic, to route it on an other interface.

iptables -t mangle -I OUTPUT -p tcp --dport 80 -j MARK --set-mark 0x1
ip ru add prio 1 fwmark 0x1 table 1
ip r add default dev eth0 table 1

This case passes with my example patch when mapping the fwmark to 0x1000000.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: xfrmi-fwmark-testcase.patch
Type: text/x-patch
Size: 9068 bytes
Desc: not available
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200810/c053f909/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2376 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20200810/c053f909/attachment.p7s>

More information about the Swan mailing list