<div>Hi Martin,</div>
<div> </div>
<div>Sorry for the late response. I was caught up with some other tasks and did not get time to work on this. </div>
<div> </div>
<div>As you mentioned, my IPs did not match initially. Now they do, and I see that encrypted traffic is passing between the end points. But I see that all the traffic uses tunnel 2 and not tunnel 1 (going by the SPI). Do you have any idea why this happens? </div>
<div> </div>
<div>Also, I tried to look into the "mark" option you had mentioned, but somehow I couldn't get any clear info. All I got is, ipsec.conf.5 has the parameters "mark", "mark_in" and "mark_out", and these set xfrm marks on the SAs. The iptables are automatically updated. But I could not find any info on how to use them. Is there any link you can share? Some examples from the strongswan website (<a href="http://www.strongswan.org/uml/testresults/ikev2/rw-mark-in-out/">http://www.strongswan.org/uml/testresults/ikev2/rw-mark-in-out/</a>) showed me that they are used as below in ipsec.conf of the peer:</div>
<div> </div>
<div>conn alice <br> <a href="mailto:rightid=alice@strongswan.org">rightid=alice@strongswan.org</a><br> mark_in=10/0xffffffff<br> mark_out=11/0xffffffff<br> also=sun<br> auto=add</div>
<div>conn venus<br> <a href="mailto:rightid=@venus.strongswan.org">rightid=@venus.strongswan.org</a><br> mark_in=20 #0xffffffff is used by default<br> mark_out=21 #0xffffffff is used by default<br> also=sun<br> auto=add</div>
<div> </div>
<div>But I would like to know what these values mean (10, 11, 20, 21) and how they help in sending traffic through a particular tunnel only. I need to try and set up multiple tunnels, and then send traffic through each one of them, and then all of them together, in order to compare performances. </div>
<div> </div>
<div>I'd really appreciate some help on this.</div>
<div> </div>
<div>Thanks and regards,</div>
<div>Meera <br><br></div>
<div class="gmail_quote">On Wed, May 4, 2011 at 1:57 PM, Martin Willi <span dir="ltr"><<a href="mailto:martin@strongswan.org">martin@strongswan.org</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">
<div class="im"><br>> When I try to ping one peer from the other, the packets go across<br>> without encryption. In other words, it does not go through either<br>> tunnel.<br><br></div>Does your ping use the correct addresses to match your tunnel<br>
(<a href="http://192.168.10.0/24" target="_blank">192.168.10.0/24</a> === <a href="http://172.16.10.0/24" target="_blank">172.16.10.0/24</a>)?<br>
<div class="im"><br>> can I specify which tunnel should be used for what?<br><br></div>Why do you use two tunnels in the first place?<br><br>You can use Netfilter firewall marks to tag traffic using IPtables for a<br>
specific tunnel. Have a look at the "mark" option in ipsec.conf.5.<br><br>Regards<br><font color="#888888">Martin<br><br></font></blockquote></div><br>