/* install routes via XFRM interfaces, if we can use them */
lib->settings->set_default_str(lib->settings,
"charon-nm.plugins.kernel-netlink.install_routes_xfrmi", "yes");
- /* bypass IKE traffic from these routes in case traffic selectors conflict */
+ /* use a separate routing table to avoid conflicts with regular charon */
lib->settings->set_default_str(lib->settings,
- "charon-nm.plugins.socket-default.fwmark", "220");
+ "charon-nm.routing_table", "210");
+ /* use the same value as priority (higher than charon's default) */
lib->settings->set_default_str(lib->settings,
- "charon-nm.plugins.kernel-netlink.fwmark", "!220");
+ "charon-nm.routing_table_prio", "210");
+ /* bypass IKE/ESP from these routes in case traffic selectors conflict */
+ lib->settings->set_default_str(lib->settings,
+ "charon-nm.plugins.socket-default.fwmark", "210");
+ lib->settings->set_default_str(lib->settings,
+ "charon-nm.plugins.kernel-netlink.fwmark", "!210");
DBG1(DBG_DMN, "Starting charon NetworkManager backend (strongSwan "VERSION")");
if (lib->integrity)
if (priv->xfrmi_id)
{ /* set the same mark as for IKE packets on the ESP packets so no routing
* loop is created if the TS covers the VPN server's IP */
- child.set_mark_out = (mark_t){
- .value = 220,
- .mask = 0xffffffff,
- };
+ mark_from_string(lib->settings->get_str(lib->settings,
+ "charon-nm.plugins.socket-default.fwmark", NULL),
+ MARK_OP_NONE, &child.set_mark_out);
child.if_id_in = child.if_id_out = priv->xfrmi_id;
}
projects / thirdparty / strongswan.git / commitdiff
