ipsec: T1441: switch from vti to xfrm interfaces

XFRM interfaces are similar to VTI devices in their basic functionality but
offer several advantages:

* No tunnel endpoint addresses have to be configured on the interfaces.
  Compared to VTIs, which are layer 3 tunnel devices with mandatory endpoints,
  this resolves issues with wildcard addresses (only one VTI with wildcard
  endpoints is supported), avoids a 1:1 mapping between SAs and interfaces, and
  easily allows SAs with multiple peers to share the same interface.
* Because there are no endpoint addresses, IPv4 and IPv6 SAs are supported on
  the same interface (VTI devices only support one address family).
* IPsec modes other than tunnel are supported (VTI devices only support
  tunnel mode).
* No awkward configuration via GRE keys and XFRM marks. Instead, a new identifier
  (XFRM interface ID) links policies and SAs with XFRM interfaces.

1 files changed, 1 insertions, 1 deletions

diff --git a/data/templates/ipsec/swanctl.conf.tmpl b/data/templates/ipsec/swanctl.conf.tmpl
index ea6d85743..d082729cb 100644
--- a/data/templates/ipsec/swanctl.conf.tmpl
+++ b/data/templates/ipsec/swanctl.conf.tmpl
@@ -18,7 +18,7 @@ connections {
 {%            set peer_ike = ike_group[peer_conf.ike_group] %}
 {%            set peer_esp = esp_group[peer_conf.default_esp_group] if peer_conf.default_esp_group is defined else None %}
 {%            set auth_type = authby[peer_conf.authentication.mode] %}
-{{            peer_tmpl.conn(peer_conn_name, peer, peer_conf, peer_ike, peer_esp, ciphers, esp_group, auth_type, marks) }}
+{{            peer_tmpl.conn(peer_conn_name, peer, peer_conf, peer_ike, peer_esp, ciphers, esp_group, auth_type) }}
 {%        endfor %}
 {%    endif %}
 }