<div>Hello Andreas,</div>
<div> </div>
<div>Yes, I agree with you.</div>
<div> </div>
<div>I have first set the following rules in the mangle table on both endpoints:</div>
<div>iptables -t mangle -A OUTPUT -j MARK --set-mark 10 -m dscp --dscp-class EF</div>
<div>iptables -t mangle -A PREROUTING -j MARK --set-mark 10 -m dscp --dscp-class EF</div>
<div> </div>
<div>So with these rules, all traffic passing between the endpoints will be marked with 10, and will have dscp EF. Since one of my tunnels has been configured with mark=10 (in ipsec.conf), that means all these packets should travel through this tunnel. In other words, I am only trying to set dscp=EF for my first tunnel which has mark=10. I am not using the second tunnel with mark=20 now. This worked fine when only the marking was given in the iptables rules, without the dscp. So my understanding is that I can use any one of the created tunnels at a time. Please correct me if this is wrong. </div>
<div> </div>
<div>Thanks,</div>
<div>Meera </div>
<div> </div>
<div> </div>
<div class="gmail_quote">On Tue, Nov 15, 2011 at 11:07 AM, Andreas Steffen <span dir="ltr"><<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">Hello,<br><br>you define only mark 10 but not mark 20. No traffic will go through<br>the tunnel without a mark (either 10 or 20) set.<br>
<br>Regards<br><br>Andreas<br>
<div class="im"><br>On 11/14/2011 08:46 AM, Meera Sudhakar wrote:<br>> Hi,<br>><br>> My aim is to create two IPsec tunnels using strongSwan between two<br>> end-points, each having a different dscp marking (like say EF, BE, AF31<br>
> etc). Right now, I see that when I set the dscp marking as BE (default),<br>> the traffic goes through the designated IPsec tunnel. When I use<br>> anything else, the traffic reaches the other end-point in plain-text<br>
> (there is no encryption). I tried refering to your example in<br>> <a href="http://www2.strongswan.org/uml/testresults46rc/ikev2/net2net-psk-dscp/index.html" target="_blank">http://www2.strongswan.org/uml/testresults46rc/ikev2/net2net-psk-dscp/index.html</a>.<br>
> I see that you are able to send encrypted traffic with dscp marking EF<br>> and BE. I believe that the reason dscp-marked traffic does not flow<br>> through a tunnel could be because the tunnel does not have the<br>
> 'capability' to handle that particular dscp-marking. Could you please<br>> let me know if this is the case, and also if there is anything I need to<br>> change (kernel version, strongSwan version, config file) to get this<br>
> working. I have pasted the details of my end-points below, with dscp set<br>> to EF:<br>><br>> linux kernel version on both end-points: 2.6.35<br>> strongSwan version on both end-points: 4.5.2-1<br>><br>
</div>> _End-point1:_<br>
<div>
<div class="h5">> # cat /etc/ipsec.conf<br>> # ipsec.conf - strongSwan IPsec configuration file<br>> # basic configuration<br>> config setup<br>> #plutostderrlog=/var/log/syslog<br>> # plutodebug=control<br>
> # crlcheckinterval=600<br>> strictcrlpolicy=no<br>> # cachecrls=yes<br>> # nat_traversal=yes<br>> charonstart=yes<br>> charondebug=control<br>> plutostart=no<br>
> # Add connections here.<br>><br>> ca strongswan<br>> cacert=caCert.der<br>> auto=add<br>> conn %default<br>> type=tunnel<br>> left=169.254.0.70<br>> leftcert=VC1Cert.der<br>
> right=169.254.1.70<br>> #rightid="C=CH, O=strongSwan, CN=169.254.1.70"<br>> keyexchange=ikev2<br>> auto=start<br>> conn tunnel1<br></div></div>> leftid=@VC1-tunnel1 <mailto:<a href="mailto:leftid">leftid</a>=@VC1-tunnel1><br>
> rightid=@VC2-tunnel1 <mailto:<a href="mailto:rightid">rightid</a>=@VC2-tunnel1><br>> leftsubnet=<a href="http://169.254.0.0/24" target="_blank">169.254.0.0/24</a> <<a href="http://169.254.0.0/24" target="_blank">http://169.254.0.0/24</a>><br>
> rightsubnet=<a href="http://169.254.1.0/24" target="_blank">169.254.1.0/24</a> <<a href="http://169.254.1.0/24" target="_blank">http://169.254.1.0/24</a>><br>> mark=10<br>> conn tunnel2<br>
> leftid=@VC1-tunnel2 <mailto:<a href="mailto:leftid">leftid</a>=@VC1-tunnel2><br>> rightid=@VC2-tunnel2 <mailto:<a href="mailto:rightid">rightid</a>=@VC2-tunnel2><br>> leftsubnet=<a href="http://169.254.0.0/24" target="_blank">169.254.0.0/24</a> <<a href="http://169.254.0.0/24" target="_blank">http://169.254.0.0/24</a>><br>
> rightsubnet=<a href="http://169.254.1.0/24" target="_blank">169.254.1.0/24</a> <<a href="http://169.254.1.0/24" target="_blank">http://169.254.1.0/24</a>><br>
<div class="im">> mark=20<br>><br>> # ipsec status<br>> Security Associations:<br>> tunnel1[1]: ESTABLISHED 37 seconds ago,<br>> 169.254.0.70[VC1-tunnel1]...169.254.1.70[VC2-tunnel1]<br>> tunnel1{3}: INSTALLED, TUNNEL, ESP SPIs: c4b5ea2d_i c7cc7624_o<br>
</div>> tunnel1{3}: <a href="http://169.254.0.0/24" target="_blank">169.254.0.0/24</a> <<a href="http://169.254.0.0/24" target="_blank">http://169.254.0.0/24</a>> ===<br>> <a href="http://169.254.1.0/24" target="_blank">169.254.1.0/24</a> <<a href="http://169.254.1.0/24" target="_blank">http://169.254.1.0/24</a>><br>
<div class="im">> tunnel2[2]: ESTABLISHED 37 seconds ago,<br>> 169.254.0.70[VC1-tunnel2]...169.254.1.70[VC2-tunnel2]<br>> tunnel2{4}: INSTALLED, TUNNEL, ESP SPIs: c9c8850e_i c7b5d498_o<br></div>> tunnel2{4}: <a href="http://169.254.0.0/24" target="_blank">169.254.0.0/24</a> <<a href="http://169.254.0.0/24" target="_blank">http://169.254.0.0/24</a>> ===<br>
> <a href="http://169.254.1.0/24" target="_blank">169.254.1.0/24</a> <<a href="http://169.254.1.0/24" target="_blank">http://169.254.1.0/24</a>><br>
<div class="im">><br>> # iptables -L -t mangle<br>> Chain PREROUTING (policy ACCEPT)<br>> target prot opt source destination<br>> MARK all -- anywhere anywhere DSCP match<br>
> 0x2eMARK set 0xa<br>> Chain INPUT (policy ACCEPT)<br>> target prot opt source destination<br>> Chain FORWARD (policy ACCEPT)<br>> target prot opt source destination<br>
> Chain OUTPUT (policy ACCEPT)<br>> target prot opt source destination<br>> MARK all -- anywhere anywhere DSCP match<br>> 0x2eMARK set 0xa<br>> Chain POSTROUTING (policy ACCEPT)<br>
> target prot opt source destination<br>><br>> # ping 169.254.1.70<br>> PING 169.254.1.70 (169.254.1.70) 56(84) bytes of data.<br></div>> 64 bytes from 169.254.1.70 <<a href="http://169.254.1.70/" target="_blank">http://169.254.1.70</a>>: icmp_req=1 ttl=63<br>
> time=0.192 ms<br>> 64 bytes from 169.254.1.70 <<a href="http://169.254.1.70/" target="_blank">http://169.254.1.70</a>>: icmp_req=2 ttl=63<br>
<div class="im">> time=0.129 ms<br>> ^C<br>> --- 169.254.1.70 ping statistics ---<br>> 2 packets transmitted, 2 received, 0% packet loss, time 999ms<br>> rtt min/avg/max/mdev = 0.129/0.160/0.192/0.033 ms<br>
><br></div>> _End-point 2:_<br>
<div>
<div class="h5">> # cat /etc/ipsec.conf<br>> # ipsec.conf - strongSwan IPsec configuration file<br>> # basic configuration<br>> config setup<br>> # plutodebug=control<br>> # crlcheckinterval=600<br>
> strictcrlpolicy=no<br>> # cachecrls=yes<br>> # nat_traversal=yes<br>> charonstart=yes<br>> plutostart=no<br>> charondebug=control<br>> # Add connections here.<br>
><br>> ca strongswan<br>> cacert=caCert.der<br>> auto=add<br>> conn %default<br>> type=tunnel<br>> left=169.254.1.70<br>> leftcert=VC2Cert.der<br>> right=169.254.0.70<br>
> #rightid="C=CH, O=strongSwan, CN=169.254.0.70"<br>> keyexchange=ikev2<br>> auto=start<br>> conn tunnel1<br></div></div>> leftid=@VC2-tunnel1 <mailto:<a href="mailto:leftid">leftid</a>=@VC2-tunnel1><br>
> rightid=@VC1-tunnel1 <mailto:<a href="mailto:rightid">rightid</a>=@VC1-tunnel1><br>> leftsubnet=<a href="http://169.254.1.0/24" target="_blank">169.254.1.0/24</a> <<a href="http://169.254.1.0/24" target="_blank">http://169.254.1.0/24</a>><br>
> rightsubnet=<a href="http://169.254.0.0/24" target="_blank">169.254.0.0/24</a> <<a href="http://169.254.0.0/24" target="_blank">http://169.254.0.0/24</a>><br>> mark=10<br>> conn tunnel2<br>
> leftid=@VC2-tunnel2 <mailto:<a href="mailto:leftid">leftid</a>=@VC2-tunnel2><br>> rightid=@VC1-tunnel2 <mailto:<a href="mailto:rightid">rightid</a>=@VC1-tunnel2><br>> leftsubnet=<a href="http://169.254.1.0/24" target="_blank">169.254.1.0/24</a> <<a href="http://169.254.1.0/24" target="_blank">http://169.254.1.0/24</a>><br>
> rightsubnet=<a href="http://169.254.0.0/24" target="_blank">169.254.0.0/24</a> <<a href="http://169.254.0.0/24" target="_blank">http://169.254.0.0/24</a>><br>
<div class="im">> mark=20<br>><br>> # ipsec status<br>> Security Associations:<br>> tunnel1[3]: ESTABLISHED 44 seconds ago,<br>> 169.254.1.70[VC2-tunnel1]...169.254.0.70[VC1-tunnel1]<br>> tunnel1{3}: INSTALLED, TUNNEL, ESP SPIs: c7cc7624_i c4b5ea2d_o<br>
</div>> tunnel1{3}: <a href="http://169.254.1.0/24" target="_blank">169.254.1.0/24</a> <<a href="http://169.254.1.0/24" target="_blank">http://169.254.1.0/24</a>> ===<br>> <a href="http://169.254.0.0/24" target="_blank">169.254.0.0/24</a> <<a href="http://169.254.0.0/24" target="_blank">http://169.254.0.0/24</a>><br>
<div class="im">> tunnel2[4]: ESTABLISHED 44 seconds ago,<br>> 169.254.1.70[VC2-tunnel2]...169.254.0.70[VC1-tunnel2]<br>> tunnel2{4}: INSTALLED, TUNNEL, ESP SPIs: c7b5d498_i c9c8850e_o<br></div>> tunnel2{4}: <a href="http://169.254.1.0/24" target="_blank">169.254.1.0/24</a> <<a href="http://169.254.1.0/24" target="_blank">http://169.254.1.0/24</a>> ===<br>
> <a href="http://169.254.0.0/24" target="_blank">169.254.0.0/24</a> <<a href="http://169.254.0.0/24" target="_blank">http://169.254.0.0/24</a>><br>
<div class="im">><br>> # iptables -L -t mangle<br>> Chain PREROUTING (policy ACCEPT)<br>> target prot opt source destination<br>> MARK all -- anywhere anywhere DSCP match<br>
> 0x2eMARK set 0xa<br>> Chain INPUT (policy ACCEPT)<br>> target prot opt source destination<br>> Chain FORWARD (policy ACCEPT)<br>> target prot opt source destination<br>
> Chain OUTPUT (policy ACCEPT)<br>> target prot opt source destination<br>> MARK all -- anywhere anywhere DSCP match<br>> 0x2eMARK set 0xa<br>> Chain POSTROUTING (policy ACCEPT)<br>
> target prot opt source destination<br>><br>> # tcpdump -i eth2<br>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<br>> listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes<br>
</div>> 01:07:43.492130 IP 169.254.0.70 > 169.254.1.70 <<a href="http://169.254.1.70/" target="_blank">http://169.254.1.70</a>>:<br>
<div class="im">> ICMP echo request, id 27015, seq 1, length 64<br></div>> 01:07:43.492162 IP 169.254.1.70 > 169.254.0.70 <<a href="http://169.254.0.70/" target="_blank">http://169.254.0.70</a>>:<br>
<div class="im">> ICMP echo reply, id 27015, seq 1, length 64<br></div>> 01:07:44.491104 IP 169.254.0.70 > 169.254.1.70 <<a href="http://169.254.1.70/" target="_blank">http://169.254.1.70</a>>:<br>
<div class="im">> ICMP echo request, id 27015, seq 2, length 64<br></div>> 01:07:44.491140 IP 169.254.1.70 > 169.254.0.70 <<a href="http://169.254.0.70/" target="_blank">http://169.254.0.70</a>>:<br>
<div class="im">> ICMP echo reply, id 27015, seq 2, length 64<br>><br>> Could you please let me know if there is anything more I need to do? The<br>> above works fine only when dscp is set to BE.<br>><br>> Thanks and regards,<br>
> Meera<br><br></div>======================================================================<br><span class="HOEnZb"><font color="#888888">Andreas Steffen <a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a><br>
strongSwan - the Linux VPN Solution! <a href="http://www.strongswan.org/" target="_blank">www.strongswan.org</a><br>Institute for Internet Technologies and Applications<br>University of Applied Sciences Rapperswil<br>
CH-8640 Rapperswil (Switzerland)<br>===========================================================[ITA-HSR]==<br></font></span></blockquote></div><br>