From 8af222361fad8dcb58e5285d0f0aedc63d78e65c Mon Sep 17 00:00:00 2001
From: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat, 5 Aug 2017 10:11:44 +0000
Subject: [PATCH] ipsec: Only set traffic selector marks in VTI mode

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 src/functions/functions.ipsec | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/functions/functions.ipsec b/src/functions/functions.ipsec
index 53b431cf..4b8ce1bf 100644
--- a/src/functions/functions.ipsec
+++ b/src/functions/functions.ipsec
@@ -1235,10 +1235,14 @@ _ipsec_connection_to_strongswan_connection() {
 	print
 
 	# Netfilter Marks
-	print_indent 4 "# Netfilter Marks"
-	print_indent 4 "mark_in = %unique"
-	print_indent 4 "mark_out = %unique"
-	print
+	case "${MODE}" in
+		vti)
+			print_indent 4 "# Netfilter Marks"
+			print_indent 4 "mark_in = %unique"
+			print_indent 4 "mark_out = %unique"
+			print
+			;;
+	esac
 
 	# Dead Peer Detection
 	if enabled dpd; then
-- 
2.39.5