I have pretty much all my IPsec VPNs set up in on-demand mode. Sometimes they are down because the firewall shuts them down after some inactivity. When suricata is enabled, they will no longer automatically be triggered to start again any more. This is a really huge problem and I needed to disabled suricata because of this. I tried to deactivate rules because it might have been that this was hit. However, none of the rules seems to match any traffic unexpectedly. Even with all rules deactivated, the VPNs won't come up. When suricata is disabled, the VPN is up within a second.
Update from today: When suricata is started, new connections through the IPsec tunnels won't function. Restarting a single tunnel does not work, the whole IPsec stack has to be restarted with "ipsec restart". The IPsec connection however is triggered and coming up. All packets leave the RED interface (which is dangerous and should absolutely not happen - we even have a firewall chain against this which does not match any more). It does not look like it is the marking, but I am not sure about that.
https://patchwork.ipfire.org/patch/2121/
Thanks for the patch - merged.