Hi I have several SAs with the same networks and gateways on both sides but different xmarks (1 vs 2) and those work correctly. Therefor I need iptable rules like the following (in raw/PREROUTING): -p esp -m esp --espspi 0xc270c557 -j MARK --set-mark 1 -p esp -m esp --espspi 0xcaa7e5c8 -j MARK --set-mark 2 Then netfilter selects the correct SA. However, as the esp packets contain the spi value, I also expected them to work correctly if they have the same xmark (both 1): -p esp -m esp --espspi 0xc270c557 -j MARK --set-mark 1 -p esp -m esp --espspi 0xcaa7e5c8 -j MARK --set-mark 1 Yet, this does not work. I get the feeling that the selection of the correct SA is not based on the spi but on the ip and xmark only. This this true? If so, why? Isn't the SPI especially there for that reason? Can this be archived somehow? Best regards, Steffen
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
