<div>Hi Andreas,</div>
<div> </div>
<div>Thanks for the suggestion. I tried it out, but marking in PREROUTING does not send the packets through the tunnel (tcpdump shows it is not encrypted).</div>
<div> </div>
<div>00:24:54.806215 IP 192.168.255.75 > <a href="http://192.168.255.77">192.168.255.77</a>: ICMP echo request, id 9330, seq 40, length 64<br>00:24:55.814320 IP 192.168.255.75 > <a href="http://192.168.255.77">192.168.255.77</a>: ICMP echo request, id 9330, seq 41, length 64<br>
00:24:56.822434 IP 192.168.255.75 > <a href="http://192.168.255.77">192.168.255.77</a>: ICMP echo request, id 9330, seq 42, length 64<br></div>
<div>When I set the mark in OUTPUT, I at least see a one-way flow of encrypted packets (through the tunnel that also has the same marking). There are still no acknowledgement packets. I saw that it is working fine in the example you mentioned though.</div>
<div> </div>
<div>Do you know of anything else I can try?</div>
<div> </div>
<div>Thankyou!</div>
<div>Meera <br><br></div>
<div class="gmail_quote">On Wed, Jul 13, 2011 at 6:29 PM, Andreas Steffen <span dir="ltr"><<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">Hi Meera,<br><br>try to set the marks in the PREROUTING chain as in my DiffServ<br>example scenario:<br><br>
<a href="http://www.strongswan.org/uml/testresults/ikev2/net2net-psk-dscp/console.log" target="_blank">http://www.strongswan.org/uml/testresults/ikev2/net2net-psk-dscp/console.log</a><br><br>And follow Martin's recommendation to use the same marks in the<br>
inbound and outbound direction.<br><br>Regards<br><br>Andreas<br>
<div class="im"><br>On 13.07.2011 12:45, Meera Sudhakar wrote:<br>> Hi Martin,<br>><br>> Well I'm not exactly sure how but it does not seem to have any problem<br>> in sending the packets correctly. When there is no marking, the packets<br>
> go just fine with the values I have given for the subnets (the ones<br>> you've pasted in your mail). So I thought this wouldn't be a problem.<br>><br>> Pasting a part of tcpdump here when tunnels are created without marking:<br>
> 23:10:20.699173 IP 192.168.255.77 > 192.168.255.75<br></div>> <<a href="http://192.168.255.75/" target="_blank">http://192.168.255.75</a>>: ESP(spi=0xc1862a7a,seq=0x3b), length 164<br>
<div class="im">> 23:10:21.699124 IP 192.168.255.75 > 192.168.255.77<br></div>> <<a href="http://192.168.255.77/" target="_blank">http://192.168.255.77</a>>: ESP(spi=0xc5d25503,seq=0x3c), length 164<br>
<div class="im">> # ipsec status<br>> Security Associations:<br>> tunnel1[2]: ESTABLISHED 5 minutes ago, 192.168.255.77[C=CH,<br>> O=strongSwan, CN=192.168.255.77]...192.168.255.75[C=CH, O=strongSwan,<br>
> CN=192.168.255.75]<br>> tunnel1{1}: INSTALLED, TUNNEL, ESP SPIs: c5d25503_i c1862a7a_o<br></div>> tunnel1{1}: <a href="http://192.168.255.0/24" target="_blank">192.168.255.0/24</a> <<a href="http://192.168.255.0/24" target="_blank">http://192.168.255.0/24</a>> ===<br>
> <a href="http://192.168.255.0/24" target="_blank">192.168.255.0/24</a> <<a href="http://192.168.255.0/24" target="_blank">http://192.168.255.0/24</a>><br>
<div class="im">> Also, replacing mark_in and mark_out with mark in ipsec.conf still gives<br>> the same result. I shall see if there is anything else I can do though.<br>><br>> Thanks and regards,<br>> Meera<br>
><br>> On Wed, Jul 13, 2011 at 12:58 PM, Martin Willi <<a href="mailto:martin@strongswan.org">martin@strongswan.org</a><br></div>
<div class="im">> <mailto:<a href="mailto:martin@strongswan.org">martin@strongswan.org</a>>> wrote:<br>><br>> Hi,<br>><br></div>> > leftsubnet=<a href="http://192.168.255.0/24" target="_blank">192.168.255.0/24</a> <<a href="http://192.168.255.0/24" target="_blank">http://192.168.255.0/24</a>><br>
> > rightsubnet=<a href="http://192.168.255.0/24" target="_blank">192.168.255.0/24</a> <<a href="http://192.168.255.0/24" target="_blank">http://192.168.255.0/24</a>><br>
<div class="im">><br>> How should the routing work if you have the same subnet on both ends of<br>> the tunnel? Where should a gateway send such packets to?<br>><br>> > mark_in=11<br>
> > mark_out=10<br>><br>> Using the same mark for in and out is probably simpler, you can set both<br>> marks by using:<br>><br>> mark=10<br>><br>> Regards<br>
> Martin<br>><br>><br>><br>><br>><br></div>> _______________________________________________<br>> Users mailing list<br>> <a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br>
> <a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><br><font color="#888888"><br><br>--<br>======================================================================<br>
Andreas Steffen <a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>strongSwan - the Linux VPN Solution! <a href="http://www.strongswan.org/" target="_blank">www.strongswan.org</a><br>
Institute for Internet Technologies and Applications<br>University of Applied Sciences Rapperswil<br>CH-8640 Rapperswil (Switzerland)<br>===========================================================[ITA-HSR]==<br></font></blockquote>
</div><br>