Project

General

Profile

Issue #2404

No mark info in inbound SA info

Added by c c about 8 years ago. Updated about 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Affected version:
5.5.3
Resolution:
Invalid

Related issues

Has duplicate Issue #2406: No mark value generated in inbound SA Closed

History

#1 Updated by Tobias Brunner about 8 years ago

  • Status changed from New to Closed
  • Resolution set to Invalid

Please read HelpRequests and start again.

#2 Updated by c c about 8 years ago

When mark value is specified in ipsec.conf, there will be corresponding mark value in SP and SA.
In 5.5.3, mark value is correctly written in inbound and outbound SP, but only for outbound SA.
As shown below, there is no such issue in 5.5.0.

# ip x p
src 0.0.0.0/0 dst 0.0.0.0/0
        dir out priority 400000
        mark 0x6f/0xffffffff
        tmpl src 49.49.49.9 dst 49.49.11.3
                proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
        dir fwd priority 400000
        mark 0x6f/0xffffffff
        tmpl src 49.49.11.3 dst 49.49.49.9
                proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
        dir in priority 400000
        mark 0x6f/0xffffffff
        tmpl src 49.49.11.3 dst 49.49.49.9
                proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0
src ::/0 dst ::/0
        socket in priority 0
src ::/0 dst ::/0
        socket out priority 0
src ::/0 dst ::/0
        socket in priority 0
src ::/0 dst ::/0
        socket out priority 0
# ip x s
src 49.49.49.9 dst 49.49.11.3
        proto esp spi 0xcf41f21e reqid 1 mode tunnel
        replay-window 0 flag nopmtudisc af-unspec
        mark 0x6f/0xffffffff
        auth-trunc hmac(sha1) 0x5b85451f0d6b1aa03879773bc46e5f8acf1d1df2 96
        enc cbc(des3_ede) 0xf250763407d3c4014d9bbf3ad749eac2438c11f8153f0c01
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 49.49.11.3 dst 49.49.49.9
        proto esp spi 0xcd8aa0dd reqid 1 mode tunnel
        replay-window 0 flag nopmtudisc af-unspec
        auth-trunc hmac(sha1) 0xacb22e404ada457bfe6b9558aa72568483060dc4 96
        enc cbc(des3_ede) 0x2f4e90c7cd6bc2664820eeea7f6b7bb9b00e87e4112e02a7
        anti-replay esn context:
         seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x0
         replay_window 256, bitmap-length 8
         00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000

#3 Updated by Tobias Brunner about 8 years ago

That's the case since 5.5.2 or commit:067fd2c6. If you searched the wiki/changesets for e.g. "inbound mark" you would have found that easily yourself.

#4 Updated by Tobias Brunner about 8 years ago

  • Has duplicate Issue #2406: No mark value generated in inbound SA added