<div>Hi Andreas,</div>
<div> </div>
<div>Ok, thanks a lot for the explanation. I had understood it the other way round. It is now working with all DSCP values. </div>
<div> </div>
<div>Thanks and regards,</div>
<div>Meera <br><br></div>
<div class="gmail_quote">On Tue, Nov 15, 2011 at 2:17 PM, Andreas Steffen <span dir="ltr"><<a href="mailto:andreas.steffen@strongswan.org">andreas.steffen@strongswan.org</a>></span> wrote:<br>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">Hello Meera,<br><br>you must differentiate between setting the DSCP value in the TOS<br>field of the IP packets at the origin of the end-to-end IP route<br>
and marking these packets when they enter the VPN gateway and are<br>ready to be tunneled via IPsec. These are two totally different<br>tasks. Have a look at our demo example:<br><br><a href="http://www.strongswan.org/uml/testresults/ikev2/net2net-psk-dscp/console.log" target="_blank">http://www.strongswan.org/uml/<u></u>testresults/ikev2/net2net-psk-<u></u>dscp/console.log</a><br>
<br> DSCP set--> <-- DSCP set<br> alice ------ gw moon ================ gw sun --------- bob<br> MARK set--> IPsec <--Mark set<br><br>1) Setting the DSCP value in the TOS field of IP packet at the<br>
IP route end points alice and bob:<br><br>alice# iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp-class BE<br>bob# iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp-class BE<br><br>2) Setting a MARK by the VPN gateways moon and sun depending on the<br>
DSCP value detected in the inbound plaintext IP packets:<br><br>moon# iptables -t mangle -A PREROUTING -m dscp --dscp-class BE \<br> -j MARK --set-mark 10<br><br>sun# iptables -t mangle -A PREROUTING -m dscp --dscp-class BE -j MARK --set-mark 10<br>
<br>Regards<br><br>Andreas
<div class="im"><br><br>On 11/15/2011 07:14 AM, Meera Sudhakar wrote:<br></div>
<blockquote style="BORDER-LEFT: #ccc 1px solid; MARGIN: 0px 0px 0px 0.8ex; PADDING-LEFT: 1ex" class="gmail_quote">
<div class="im">Hello Andreas,<br>Yes, I agree with you.<br>I have first set the following rules in the mangle table on both endpoints:<br>iptables -t mangle -A OUTPUT -j MARK --set-mark 10 -m dscp --dscp-class EF<br>iptables -t mangle -A PREROUTING -j MARK --set-mark 10 -m dscp<br>
--dscp-class EF<br>So with these rules, all traffic passing between the endpoints will be<br>marked with 10, and will have dscp EF. Since one of my tunnels has been<br>configured with mark=10 (in ipsec.conf), that means all these packets<br>
should travel through this tunnel. In other words, I am only trying to<br>set dscp=EF for my first tunnel which has mark=10. I am not using the<br>second tunnel with mark=20 now. This worked fine when only the marking<br>
was given in the iptables rules, without the dscp. So my understanding<br>is that I can use any one of the created tunnels at a time. Please<br>correct me if this is wrong.<br>Thanks,<br>Meera<br>On Tue, Nov 15, 2011 at 11:07 AM, Andreas Steffen<br>
</div><<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.<u></u>org</a> <mailto:<a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@<u></u>strongswan.org</a>>>
<div>
<div class="h5"><br>wrote:<br><br> Hello,<br><br> you define only mark 10 but not mark 20. No traffic will go through<br> the tunnel without a mark (either 10 or 20) set.<br><br> Regards<br><br> Andreas<br><br>
On 11/14/2011 08:46 AM, Meera Sudhakar wrote:<br> > Hi,<br> ><br> > My aim is to create two IPsec tunnels using strongSwan between two<br> > end-points, each having a different dscp marking (like say EF,<br>
BE, AF31<br> > etc). Right now, I see that when I set the dscp marking as BE<br> (default),<br> > the traffic goes through the designated IPsec tunnel. When I use<br> > anything else, the traffic reaches the other end-point in plain-text<br>
> (there is no encryption). I tried refering to your example in<br> ><br> <a href="http://www2.strongswan.org/uml/testresults46rc/ikev2/net2net-psk-dscp/index.html" target="_blank">http://www2.strongswan.org/<u></u>uml/testresults46rc/ikev2/<u></u>net2net-psk-dscp/index.html</a>.<br>
> I see that you are able to send encrypted traffic with dscp<br> marking EF<br> > and BE. I believe that the reason dscp-marked traffic does not flow<br> > through a tunnel could be because the tunnel does not have the<br>
> 'capability' to handle that particular dscp-marking. Could you please<br> > let me know if this is the case, and also if there is anything I<br> need to<br> > change (kernel version, strongSwan version, config file) to get this<br>
> working. I have pasted the details of my end-points below, with<br> dscp set<br> > to EF:<br> ><br> > linux kernel version on both end-points: 2.6.35<br> > strongSwan version on both end-points: 4.5.2-1<br>
><br> > _End-point1:_<br> > # cat /etc/ipsec.conf<br> > # ipsec.conf - strongSwan IPsec configuration file<br> > # basic configuration<br> > config setup<br> > #plutostderrlog=/var/log/<u></u>syslog<br>
> # plutodebug=control<br> > # crlcheckinterval=600<br> > strictcrlpolicy=no<br> > # cachecrls=yes<br> > # nat_traversal=yes<br> > charonstart=yes<br>
> charondebug=control<br> > plutostart=no<br> > # Add connections here.<br> ><br> > ca strongswan<br> > cacert=caCert.der<br> > auto=add<br> > conn %default<br>
> type=tunnel<br> > left=169.254.0.70<br> > leftcert=VC1Cert.der<br> > right=169.254.1.70<br> > #rightid="C=CH, O=strongSwan, CN=169.254.1.70"<br>
> keyexchange=ikev2<br> > auto=start<br> > conn tunnel1<br> > leftid=@VC1-tunnel1 <mailto:<a href="mailto:leftid" target="_blank">leftid</a><br></div></div> <mailto:<a href="mailto:leftid" target="_blank">leftid</a>>=@VC1-tunnel1><br>
> rightid=@VC2-tunnel1 <mailto:<a href="mailto:rightid" target="_blank">rightid</a><br> <mailto:<a href="mailto:rightid" target="_blank">rightid</a>>=@VC2-tunnel1><br> > leftsubnet=<a href="http://169.254.0.0/24" target="_blank">169.254.0.0/24</a> <<a href="http://169.254.0.0/24" target="_blank">http://169.254.0.0/24</a>>
<div class="im"><br> <<a href="http://169.254.0.0/24" target="_blank">http://169.254.0.0/24</a>><br> > rightsubnet=<a href="http://169.254.1.0/24" target="_blank">169.254.1.0/24</a> <<a href="http://169.254.1.0/24" target="_blank">http://169.254.1.0/24</a>><br>
<<a href="http://169.254.1.0/24" target="_blank">http://169.254.1.0/24</a>><br> > mark=10<br> > conn tunnel2<br> > leftid=@VC1-tunnel2 <mailto:<a href="mailto:leftid" target="_blank">leftid</a><br>
</div> <mailto:<a href="mailto:leftid" target="_blank">leftid</a>>=@VC1-tunnel2><br> > rightid=@VC2-tunnel2 <mailto:<a href="mailto:rightid" target="_blank">rightid</a><br> <mailto:<a href="mailto:rightid" target="_blank">rightid</a>>=@VC2-tunnel2><br>
> leftsubnet=<a href="http://169.254.0.0/24" target="_blank">169.254.0.0/24</a> <<a href="http://169.254.0.0/24" target="_blank">http://169.254.0.0/24</a>>
<div class="im"><br> <<a href="http://169.254.0.0/24" target="_blank">http://169.254.0.0/24</a>><br> > rightsubnet=<a href="http://169.254.1.0/24" target="_blank">169.254.1.0/24</a> <<a href="http://169.254.1.0/24" target="_blank">http://169.254.1.0/24</a>><br>
</div>
<div class="im"> <<a href="http://169.254.1.0/24" target="_blank">http://169.254.1.0/24</a>><br> > mark=20<br> ><br> > # ipsec status<br> > Security Associations:<br> > tunnel1[1]: ESTABLISHED 37 seconds ago,<br>
> 169.254.0.70[VC1-tunnel1]...<u></u>169.254.1.70[VC2-tunnel1]<br> > tunnel1{3}: INSTALLED, TUNNEL, ESP SPIs: c4b5ea2d_i c7cc7624_o<br> > tunnel1{3}: <a href="http://169.254.0.0/24" target="_blank">169.254.0.0/24</a> <<a href="http://169.254.0.0/24" target="_blank">http://169.254.0.0/24</a>><br>
<<a href="http://169.254.0.0/24" target="_blank">http://169.254.0.0/24</a>> ===<br></div> > <a href="http://169.254.1.0/24" target="_blank">169.254.1.0/24</a> <<a href="http://169.254.1.0/24" target="_blank">http://169.254.1.0/24</a>> <<a href="http://169.254.1.0/24" target="_blank">http://169.254.1.0/24</a>>
<div class="im"><br> > tunnel2[2]: ESTABLISHED 37 seconds ago,<br> > 169.254.0.70[VC1-tunnel2]...<u></u>169.254.1.70[VC2-tunnel2]<br> > tunnel2{4}: INSTALLED, TUNNEL, ESP SPIs: c9c8850e_i c7b5d498_o<br>
> tunnel2{4}: <a href="http://169.254.0.0/24" target="_blank">169.254.0.0/24</a> <<a href="http://169.254.0.0/24" target="_blank">http://169.254.0.0/24</a>><br> <<a href="http://169.254.0.0/24" target="_blank">http://169.254.0.0/24</a>> ===<br>
</div> > <a href="http://169.254.1.0/24" target="_blank">169.254.1.0/24</a> <<a href="http://169.254.1.0/24" target="_blank">http://169.254.1.0/24</a>> <<a href="http://169.254.1.0/24" target="_blank">http://169.254.1.0/24</a>>
<div class="im"><br> ><br> > # iptables -L -t mangle<br> > Chain PREROUTING (policy ACCEPT)<br> > target prot opt source destination<br> > MARK all -- anywhere anywhere DSCP<br>
match<br> > 0x2eMARK set 0xa<br> > Chain INPUT (policy ACCEPT)<br> > target prot opt source destination<br> > Chain FORWARD (policy ACCEPT)<br> > target prot opt source destination<br>
> Chain OUTPUT (policy ACCEPT)<br> > target prot opt source destination<br> > MARK all -- anywhere anywhere DSCP<br> match<br> > 0x2eMARK set 0xa<br>
> Chain POSTROUTING (policy ACCEPT)<br> > target prot opt source destination<br> ><br> > # ping 169.254.1.70<br> > PING 169.254.1.70 (169.254.1.70) 56(84) bytes of data.<br>
> 64 bytes from 169.254.1.70 <<a href="http://169.254.1.70/" target="_blank">http://169.254.1.70</a><br></div> <<a href="http://169.254.1.70/" target="_blank">http://169.254.1.70/</a>>>: icmp_req=1 ttl=63
<div class="im"><br> > time=0.192 ms<br> > 64 bytes from 169.254.1.70 <<a href="http://169.254.1.70/" target="_blank">http://169.254.1.70</a><br></div> <<a href="http://169.254.1.70/" target="_blank">http://169.254.1.70/</a>>>: icmp_req=2 ttl=63
<div>
<div class="h5"><br> > time=0.129 ms<br> > ^C<br> > --- 169.254.1.70 ping statistics ---<br> > 2 packets transmitted, 2 received, 0% packet loss, time 999ms<br> > rtt min/avg/max/mdev = 0.129/0.160/0.192/0.033 ms<br>
><br> > _End-point 2:_<br> > # cat /etc/ipsec.conf<br> > # ipsec.conf - strongSwan IPsec configuration file<br> > # basic configuration<br> > config setup<br> > # plutodebug=control<br>
> # crlcheckinterval=600<br> > strictcrlpolicy=no<br> > # cachecrls=yes<br> > # nat_traversal=yes<br> > charonstart=yes<br> > plutostart=no<br>
> charondebug=control<br> > # Add connections here.<br> ><br> > ca strongswan<br> > cacert=caCert.der<br> > auto=add<br> > conn %default<br> > type=tunnel<br>
> left=169.254.1.70<br> > leftcert=VC2Cert.der<br> > right=169.254.0.70<br> > #rightid="C=CH, O=strongSwan, CN=169.254.0.70"<br> > keyexchange=ikev2<br>
> auto=start<br> > conn tunnel1<br> > leftid=@VC2-tunnel1 <mailto:<a href="mailto:leftid" target="_blank">leftid</a><br></div></div> <mailto:<a href="mailto:leftid" target="_blank">leftid</a>>=@VC2-tunnel1><br>
> rightid=@VC1-tunnel1 <mailto:<a href="mailto:rightid" target="_blank">rightid</a><br> <mailto:<a href="mailto:rightid" target="_blank">rightid</a>>=@VC1-tunnel1><br> > leftsubnet=<a href="http://169.254.1.0/24" target="_blank">169.254.1.0/24</a> <<a href="http://169.254.1.0/24" target="_blank">http://169.254.1.0/24</a>>
<div class="im"><br> <<a href="http://169.254.1.0/24" target="_blank">http://169.254.1.0/24</a>><br> > rightsubnet=<a href="http://169.254.0.0/24" target="_blank">169.254.0.0/24</a> <<a href="http://169.254.0.0/24" target="_blank">http://169.254.0.0/24</a>><br>
<<a href="http://169.254.0.0/24" target="_blank">http://169.254.0.0/24</a>><br> > mark=10<br> > conn tunnel2<br> > leftid=@VC2-tunnel2 <mailto:<a href="mailto:leftid" target="_blank">leftid</a><br>
</div> <mailto:<a href="mailto:leftid" target="_blank">leftid</a>>=@VC2-tunnel2><br> > rightid=@VC1-tunnel2 <mailto:<a href="mailto:rightid" target="_blank">rightid</a><br> <mailto:<a href="mailto:rightid" target="_blank">rightid</a>>=@VC1-tunnel2><br>
> leftsubnet=<a href="http://169.254.1.0/24" target="_blank">169.254.1.0/24</a> <<a href="http://169.254.1.0/24" target="_blank">http://169.254.1.0/24</a>>
<div class="im"><br> <<a href="http://169.254.1.0/24" target="_blank">http://169.254.1.0/24</a>><br> > rightsubnet=<a href="http://169.254.0.0/24" target="_blank">169.254.0.0/24</a> <<a href="http://169.254.0.0/24" target="_blank">http://169.254.0.0/24</a>><br>
</div>
<div class="im"> <<a href="http://169.254.0.0/24" target="_blank">http://169.254.0.0/24</a>><br> > mark=20<br> ><br> > # ipsec status<br> > Security Associations:<br> > tunnel1[3]: ESTABLISHED 44 seconds ago,<br>
> 169.254.1.70[VC2-tunnel1]...<u></u>169.254.0.70[VC1-tunnel1]<br> > tunnel1{3}: INSTALLED, TUNNEL, ESP SPIs: c7cc7624_i c4b5ea2d_o<br> > tunnel1{3}: <a href="http://169.254.1.0/24" target="_blank">169.254.1.0/24</a> <<a href="http://169.254.1.0/24" target="_blank">http://169.254.1.0/24</a>><br>
<<a href="http://169.254.1.0/24" target="_blank">http://169.254.1.0/24</a>> ===<br></div> > <a href="http://169.254.0.0/24" target="_blank">169.254.0.0/24</a> <<a href="http://169.254.0.0/24" target="_blank">http://169.254.0.0/24</a>> <<a href="http://169.254.0.0/24" target="_blank">http://169.254.0.0/24</a>>
<div class="im"><br> > tunnel2[4]: ESTABLISHED 44 seconds ago,<br> > 169.254.1.70[VC2-tunnel2]...<u></u>169.254.0.70[VC1-tunnel2]<br> > tunnel2{4}: INSTALLED, TUNNEL, ESP SPIs: c7b5d498_i c9c8850e_o<br>
> tunnel2{4}: <a href="http://169.254.1.0/24" target="_blank">169.254.1.0/24</a> <<a href="http://169.254.1.0/24" target="_blank">http://169.254.1.0/24</a>><br> <<a href="http://169.254.1.0/24" target="_blank">http://169.254.1.0/24</a>> ===<br>
</div> > <a href="http://169.254.0.0/24" target="_blank">169.254.0.0/24</a> <<a href="http://169.254.0.0/24" target="_blank">http://169.254.0.0/24</a>> <<a href="http://169.254.0.0/24" target="_blank">http://169.254.0.0/24</a>>
<div class="im"><br> ><br> > # iptables -L -t mangle<br> > Chain PREROUTING (policy ACCEPT)<br> > target prot opt source destination<br> > MARK all -- anywhere anywhere DSCP<br>
match<br> > 0x2eMARK set 0xa<br> > Chain INPUT (policy ACCEPT)<br> > target prot opt source destination<br> > Chain FORWARD (policy ACCEPT)<br> > target prot opt source destination<br>
> Chain OUTPUT (policy ACCEPT)<br> > target prot opt source destination<br> > MARK all -- anywhere anywhere DSCP<br> match<br> > 0x2eMARK set 0xa<br>
> Chain POSTROUTING (policy ACCEPT)<br> > target prot opt source destination<br> ><br> > # tcpdump -i eth2<br> > tcpdump: verbose output suppressed, use -v or -vv for full<br>
protocol decode<br> > listening on eth2, link-type EN10MB (Ethernet), capture size<br> 65535 bytes<br> > 01:07:43.492130 IP 169.254.0.70 > 169.254.1.70<br></div> <<a href="http://169.254.1.70/" target="_blank">http://169.254.1.70</a> <<a href="http://169.254.1.70/" target="_blank">http://169.254.1.70/</a>>>:
<div class="im"><br> > ICMP echo request, id 27015, seq 1, length 64<br> > 01:07:43.492162 IP 169.254.1.70 > 169.254.0.70<br></div> <<a href="http://169.254.0.70/" target="_blank">http://169.254.0.70</a> <<a href="http://169.254.0.70/" target="_blank">http://169.254.0.70/</a>>>:
<div class="im"><br> > ICMP echo reply, id 27015, seq 1, length 64<br> > 01:07:44.491104 IP 169.254.0.70 > 169.254.1.70<br></div> <<a href="http://169.254.1.70/" target="_blank">http://169.254.1.70</a> <<a href="http://169.254.1.70/" target="_blank">http://169.254.1.70/</a>>>:
<div class="im"><br> > ICMP echo request, id 27015, seq 2, length 64<br> > 01:07:44.491140 IP 169.254.1.70 > 169.254.0.70<br></div> <<a href="http://169.254.0.70/" target="_blank">http://169.254.0.70</a> <<a href="http://169.254.0.70/" target="_blank">http://169.254.0.70/</a>>>:
<div class="im"><br> > ICMP echo reply, id 27015, seq 2, length 64<br> ><br> > Could you please let me know if there is anything more I need to<br> do? The<br> > above works fine only when dscp is set to BE.<br>
><br> > Thanks and regards,<br> > Meera<br></div></blockquote>
<div class="HOEnZb">
<div class="h5"><br>==============================<u></u>==============================<u></u>==========<br>Andreas Steffen <a href="mailto:andreas.steffen@strongswan.org" target="_blank">andreas.steffen@strongswan.org</a><br>
strongSwan - the Linux VPN Solution! <a href="http://www.strongswan.org/" target="_blank">www.strongswan.org</a><br>Institute for Internet Technologies and Applications<br>University of Applied Sciences Rapperswil<br>
CH-8640 Rapperswil (Switzerland)<br>==============================<u></u>=============================[<u></u>ITA-HSR]==<br></div></div></blockquote></div><br>