<div>Hi Martin,</div>
<div> </div>
<div>Sorry for the delay in replying. I didn't get a chance to try this out for sometime.</div>
<div> </div>
<div>Thanks for confirming that. I now have two identical tunnels with markings. I want to send icmp packets (ping) through tunnel 1 and tcp packets through tunnel 2. Below is an excerpt of ipsec.conf files:</div>
<div> </div>
<div><u>On peer 1:</u></div>
<div>conn tunnel1<br> leftsubnet=<a href="http://192.168.255.0/24">192.168.255.0/24</a><br> rightsubnet=<a href="http://192.168.255.0/24">192.168.255.0/24</a><br> mark_in=11<br> mark_out=10</div>
<div>conn tunnel2<br> leftsubnet=<a href="http://192.168.255.0/24">192.168.255.0/24</a><br> rightsubnet=<a href="http://192.168.255.0/24">192.168.255.0/24</a><br> mark_out=20<br> mark_in=21</div>
<div> </div>
<div><u>On peer 2:</u></div>
<div>conn tunnel1<br> leftsubnet=<a href="http://192.168.255.0/24">192.168.255.0/24</a><br> rightsubnet=<a href="http://192.168.255.0/24">192.168.255.0/24</a><br> mark_in=10<br> mark_out=11</div>
<div>conn tunnel2<br> leftsubnet=<a href="http://192.168.255.0/24">192.168.255.0/24</a><br> rightsubnet=<a href="http://192.168.255.0/24">192.168.255.0/24</a><br> mark_in=20<br> mark_out=21<br>
<br>I also made the following entries in iptables:</div>
<div><u>On peer 1:</u></div>
<div>iptables -t mangle -A OUTPUT -p icmp -j MARK --set-mark 10</div>
<div>iptables -t mangle -A OUTPUT -p tcp -j MARK --set-mark 20</div>
<div> </div>
<div><u>On peer 2:</u></div>
<div>iptables -t mangle -A OUTPUT -p icmp -j MARK --set-mark 11</div>
<div>iptables -t mangle -A OUTPUT -p tcp -j MARK --set-mark 21</div>
<div> </div>
<div><u>ipsec status on peer 1:</u></div>
<div>Security Associations:<br> tunnel1[1]: ESTABLISHED 3 seconds ago, 192.168.255.75[C=CH, O=strongSwan, CN=192.168.255.75]...192.168.255.77[C=CH, O=strongSwan, CN=192.168.255.77]<br> tunnel1{3}: INSTALLED, TUNNEL, ESP SPIs: c4ffeb30_i c69da46f_o<br>
tunnel1{3}: <a href="http://192.168.255.0/24">192.168.255.0/24</a> === <a href="http://192.168.255.0/24">192.168.255.0/24</a><br> tunnel2{4}: INSTALLED, TUNNEL, ESP SPIs: c379ebf9_i c35560b4_o<br> tunnel2{4}: <a href="http://192.168.255.0/24">192.168.255.0/24</a> === <a href="http://192.168.255.0/24">192.168.255.0/24</a><br>
</div>
<div><u>ipsec status on peer 2:</u></div>
<div>Security Associations:<br> tunnel1[2]: ESTABLISHED 9 seconds ago, 192.168.255.77[C=CH, O=strongSwan, CN=192.168.255.77]...192.168.255.75[C=CH, O=strongSwan, CN=192.168.255.75]<br> tunnel1{3}: INSTALLED, TUNNEL, ESP SPIs: c69da46f_i c4ffeb30_o<br>
tunnel1{3}: <a href="http://192.168.255.0/24">192.168.255.0/24</a> === <a href="http://192.168.255.0/24">192.168.255.0/24</a><br> tunnel1{4}: INSTALLED, TUNNEL, ESP SPIs: c35560b4_i c379ebf9_o<br> tunnel1{4}: <a href="http://192.168.255.0/24">192.168.255.0/24</a> === <a href="http://192.168.255.0/24">192.168.255.0/24</a><br>
<br></div>
<div>So now I see that I can SEND icmp packets into tunnel 1, and tcp packets into tunnel 2. The problem is that, I am not able to receive an acknowledgement for any of these packets, or the packets are getting lost and not being sent through the tunnels. In other words, packets are always sent in one direction only. Whether I send tcp or icmp, the packets only GO across. Nothing gets acknowledged. I can see this using tcpdump:</div>
<div> </div>
<div><u>When I send icmp packets from peer 1 to 2:</u></div>
<div> 19:36:32.957209 IP 192.168.255.75 > <a href="http://192.168.255.77">192.168.255.77</a>: ESP(spi=0xc69da46f,seq=0x43), length 164<br>19:36:33.965223 IP 192.168.255.75 > <a href="http://192.168.255.77">192.168.255.77</a>: ESP(spi=0xc69da46f,seq=0x44), length 164<br>
19:36:34.973232 IP 192.168.255.75 > <a href="http://192.168.255.77">192.168.255.77</a>: ESP(spi=0xc69da46f,seq=0x45), length 164<br>19:36:35.981718 IP 192.168.255.75 > <a href="http://192.168.255.77">192.168.255.77</a>: ESP(spi=0xc69da46f,seq=0x46), length 164<br>
</div>
<div><u>When I send tcp packets from peer 1 to 2:</u></div>
<div>19:40:04.783183 IP 192.168.255.75 > <a href="http://192.168.255.77">192.168.255.77</a>: ESP(spi=0xc35560b4,seq=0x3), length 100<br>19:40:19.281767 IP 192.168.255.75 > <a href="http://192.168.255.77">192.168.255.77</a>: ESP(spi=0xc35560b4,seq=0x4), length 100<br>
19:40:22.287152 IP 192.168.255.75 > <a href="http://192.168.255.77">192.168.255.77</a>: ESP(spi=0xc35560b4,seq=0x5), length 100</div>
<div> </div>
<div>I don't know if I'm missing something here, or if I've even done this right for that matter. Could you please help me out? I have no clue why the acknowledgements aren't being sent across. The same thing happens if I try sending packets from peer 2 to 1 (but it uses the other SPI)</div>
<div> </div>
<div>Thanks and regards,</div>
<div>Meera <br><br></div>
<div class="gmail_quote">On Thu, Jun 23, 2011 at 12:44 PM, Martin Willi <span dir="ltr"><<a href="mailto:martin@strongswan.org">martin@strongswan.org</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">Hi Meera,<br>
<div class="im"><br>> But is it possible to have multiple tunnels between the same endpoints<br>> (say between Alice and Sun)? I looked around but couldn't find any<br>> particular scenario in the link I've mentioned above. Also, even if it<br>
> is possible to have more than one tunnel between the same end points,<br>> will marking of packets help in differentiation, since the destination<br>> address of both tunnels will be the same?<br><br></div>Yes, having two identical IPsec tunnels works if you differentiate them<br>
with unique marks (or masks). You can use iptables rules to assign one<br>of the marks to each packet to select the tunnel to use. If you generate<br>traffic locally, you could alternatively use the SO_MARK socket option<br>
to set the mark.<br><br>Regards<br><font color="#888888">Martin<br><br><br></font></blockquote></div><br>