<div>Hi,</div>
<div> </div>
<div>My aim is to create two IPsec tunnels using strongSwan between two end-points, each having a different dscp marking (like say EF, BE, AF31 etc). Right now, I see that when I set the dscp marking as BE (default), the traffic goes through the designated IPsec tunnel. When I use anything else, the traffic reaches the other end-point in plain-text (there is no encryption). I tried refering to your example in <a href="http://www2.strongswan.org/uml/testresults46rc/ikev2/net2net-psk-dscp/index.html">http://www2.strongswan.org/uml/testresults46rc/ikev2/net2net-psk-dscp/index.html</a>. I see that you are able to send encrypted traffic with dscp marking EF and BE. I believe that the reason dscp-marked traffic does not flow through a tunnel could be because the tunnel does not have the 'capability' to handle that particular dscp-marking. Could you please let me know if this is the case, and also if there is anything I need to change (kernel version, strongSwan version, config file) to get this working. I have pasted the details of my end-points below, with dscp set to EF:</div>
<div> </div>
<div>linux kernel version on both end-points: 2.6.35</div>
<div>strongSwan version on both end-points: 4.5.2-1</div>
<div> </div>
<div><u>End-point1:</u></div>
<div># cat /etc/ipsec.conf<br># ipsec.conf - strongSwan IPsec configuration file</div>
<div># basic configuration</div>
<div>config setup<br> #plutostderrlog=/var/log/syslog<br> # plutodebug=control<br> # crlcheckinterval=600<br> strictcrlpolicy=no<br> # cachecrls=yes<br> # nat_traversal=yes<br> charonstart=yes<br>
charondebug=control<br> plutostart=no</div>
<div># Add connections here.</div>
<div><br>ca strongswan<br> cacert=caCert.der<br> auto=add</div>
<div>conn %default<br> type=tunnel<br> left=169.254.0.70<br> leftcert=VC1Cert.der<br> right=169.254.1.70<br> #rightid="C=CH, O=strongSwan, CN=169.254.1.70"<br> keyexchange=ikev2<br>
auto=start</div>
<div>conn tunnel1<br> <a href="mailto:leftid=@VC1-tunnel1">leftid=@VC1-tunnel1</a><br> <a href="mailto:rightid=@VC2-tunnel1">rightid=@VC2-tunnel1</a><br> leftsubnet=<a href="http://169.254.0.0/24">169.254.0.0/24</a><br>
rightsubnet=<a href="http://169.254.1.0/24">169.254.1.0/24</a><br> mark=10</div>
<div>conn tunnel2<br> <a href="mailto:leftid=@VC1-tunnel2">leftid=@VC1-tunnel2</a><br> <a href="mailto:rightid=@VC2-tunnel2">rightid=@VC2-tunnel2</a><br> leftsubnet=<a href="http://169.254.0.0/24">169.254.0.0/24</a><br>
rightsubnet=<a href="http://169.254.1.0/24">169.254.1.0/24</a><br> mark=20</div>
<div><br># ipsec status<br>Security Associations:<br> tunnel1[1]: ESTABLISHED 37 seconds ago, 169.254.0.70[VC1-tunnel1]...169.254.1.70[VC2-tunnel1]<br> tunnel1{3}: INSTALLED, TUNNEL, ESP SPIs: c4b5ea2d_i c7cc7624_o<br>
tunnel1{3}: <a href="http://169.254.0.0/24">169.254.0.0/24</a> === <a href="http://169.254.1.0/24">169.254.1.0/24</a><br> tunnel2[2]: ESTABLISHED 37 seconds ago, 169.254.0.70[VC1-tunnel2]...169.254.1.70[VC2-tunnel2]<br>
tunnel2{4}: INSTALLED, TUNNEL, ESP SPIs: c9c8850e_i c7b5d498_o<br> tunnel2{4}: <a href="http://169.254.0.0/24">169.254.0.0/24</a> === <a href="http://169.254.1.0/24">169.254.1.0/24</a></div>
<div><br># iptables -L -t mangle<br>Chain PREROUTING (policy ACCEPT)<br>target prot opt source destination<br>MARK all -- anywhere anywhere DSCP match 0x2eMARK set 0xa</div>
<div>Chain INPUT (policy ACCEPT)<br>target prot opt source destination</div>
<div>Chain FORWARD (policy ACCEPT)<br>target prot opt source destination</div>
<div>Chain OUTPUT (policy ACCEPT)<br>target prot opt source destination<br>MARK all -- anywhere anywhere DSCP match 0x2eMARK set 0xa</div>
<div>Chain POSTROUTING (policy ACCEPT)<br>target prot opt source destination</div>
<div><br># ping 169.254.1.70<br>PING 169.254.1.70 (169.254.1.70) 56(84) bytes of data.<br>64 bytes from <a href="http://169.254.1.70">169.254.1.70</a>: icmp_req=1 ttl=63 time=0.192 ms<br>64 bytes from <a href="http://169.254.1.70">169.254.1.70</a>: icmp_req=2 ttl=63 time=0.129 ms<br>
^C<br>--- 169.254.1.70 ping statistics ---<br>2 packets transmitted, 2 received, 0% packet loss, time 999ms<br>rtt min/avg/max/mdev = 0.129/0.160/0.192/0.033 ms<br></div>
<div> </div>
<div><u>End-point 2:</u></div>
<div># cat /etc/ipsec.conf<br># ipsec.conf - strongSwan IPsec configuration file</div>
<div># basic configuration</div>
<div>config setup<br> # plutodebug=control<br> # crlcheckinterval=600<br> strictcrlpolicy=no<br> # cachecrls=yes<br> # nat_traversal=yes<br> charonstart=yes<br> plutostart=no<br>
charondebug=control</div>
<div># Add connections here.</div>
<div><br>ca strongswan<br> cacert=caCert.der<br> auto=add</div>
<div>conn %default<br> type=tunnel<br> left=169.254.1.70<br> leftcert=VC2Cert.der<br> right=169.254.0.70<br> #rightid="C=CH, O=strongSwan, CN=169.254.0.70"<br> keyexchange=ikev2<br>
auto=start</div>
<div>conn tunnel1<br> <a href="mailto:leftid=@VC2-tunnel1">leftid=@VC2-tunnel1</a><br> <a href="mailto:rightid=@VC1-tunnel1">rightid=@VC1-tunnel1</a><br> leftsubnet=<a href="http://169.254.1.0/24">169.254.1.0/24</a><br>
rightsubnet=<a href="http://169.254.0.0/24">169.254.0.0/24</a><br> mark=10</div>
<div>conn tunnel2<br> <a href="mailto:leftid=@VC2-tunnel2">leftid=@VC2-tunnel2</a><br> <a href="mailto:rightid=@VC1-tunnel2">rightid=@VC1-tunnel2</a><br> leftsubnet=<a href="http://169.254.1.0/24">169.254.1.0/24</a><br>
rightsubnet=<a href="http://169.254.0.0/24">169.254.0.0/24</a><br> mark=20</div>
<div><br># ipsec status<br>Security Associations:<br> tunnel1[3]: ESTABLISHED 44 seconds ago, 169.254.1.70[VC2-tunnel1]...169.254.0.70[VC1-tunnel1]<br> tunnel1{3}: INSTALLED, TUNNEL, ESP SPIs: c7cc7624_i c4b5ea2d_o<br>
tunnel1{3}: <a href="http://169.254.1.0/24">169.254.1.0/24</a> === <a href="http://169.254.0.0/24">169.254.0.0/24</a><br> tunnel2[4]: ESTABLISHED 44 seconds ago, 169.254.1.70[VC2-tunnel2]...169.254.0.70[VC1-tunnel2]<br>
tunnel2{4}: INSTALLED, TUNNEL, ESP SPIs: c7b5d498_i c9c8850e_o<br> tunnel2{4}: <a href="http://169.254.1.0/24">169.254.1.0/24</a> === <a href="http://169.254.0.0/24">169.254.0.0/24</a></div>
<div><br># iptables -L -t mangle<br>Chain PREROUTING (policy ACCEPT)<br>target prot opt source destination<br>MARK all -- anywhere anywhere DSCP match 0x2eMARK set 0xa</div>
<div>Chain INPUT (policy ACCEPT)<br>target prot opt source destination</div>
<div>Chain FORWARD (policy ACCEPT)<br>target prot opt source destination</div>
<div>Chain OUTPUT (policy ACCEPT)<br>target prot opt source destination<br>MARK all -- anywhere anywhere DSCP match 0x2eMARK set 0xa</div>
<div>Chain POSTROUTING (policy ACCEPT)<br>target prot opt source destination</div>
<div><br># tcpdump -i eth2<br>tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<br>listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes<br>01:07:43.492130 IP 169.254.0.70 > <a href="http://169.254.1.70">169.254.1.70</a>: ICMP echo request, id 27015, seq 1, length 64<br>
01:07:43.492162 IP 169.254.1.70 > <a href="http://169.254.0.70">169.254.0.70</a>: ICMP echo reply, id 27015, seq 1, length 64<br>01:07:44.491104 IP 169.254.0.70 > <a href="http://169.254.1.70">169.254.1.70</a>: ICMP echo request, id 27015, seq 2, length 64<br>
01:07:44.491140 IP 169.254.1.70 > <a href="http://169.254.0.70">169.254.0.70</a>: ICMP echo reply, id 27015, seq 2, length 64<br><br>Could you please let me know if there is anything more I need to do? The above works fine only when dscp is set to BE. </div>
<div> </div>
<div>Thanks and regards,</div>
<div>Meera </div>