<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<p>just upgraded the server to 5.5.2dr4 (previous 5.4.0) and back
working those 97% customers with mark=%unique</p>
<p>I guess [1] is related ...<br>
</p>
<p>much better for me ... <br>
</p>
<p>but the main problem still exists: Customers can't share the same
subnet with mark=%unique too</p>
<p>(static [2] entries are not possible)<br>
</p>
<p><br>
</p>
<p>[1] <a class="moz-txt-link-freetext" href="https://wiki.strongswan.org/issues/1497">https://wiki.strongswan.org/issues/1497</a></p>
<p>[2] <a class="moz-txt-link-freetext" href="https://strongswan.org/testresults4.html">https://strongswan.org/testresults4.html</a></p>
<p><br>
</p>
<p><span lang="CS">BR<br>
Oleksandr Yermolenko</span></p>
<br>
<div class="moz-cite-prefix">On 01/28/2017 01:06 PM, Oleksandr
Yermolenko wrote:<br>
</div>
<blockquote
cite="mid:17f7ecb8-9ab2-5912-08af-e0281177214d@sumix.com"
type="cite">
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
a few additional details:<br>
just playing with mark option:<br>
########## ipsec.conf ###############################<br>
conn customers<br>
mark=42<br>
# mark=%unique<br>
working 97% of customers ... instead of those who share the same
subnet<br>
#########################################<br>
conn customers<br>
# mark=42<br>
mark=%unique<br>
<br>
nobody works at all. Does plugin "connmark" not compatible for my
environment or I have missed something?<br>
<br>
<span lang="CS">BR<br>
Oleksandr Yermolenko<br>
</span><br>
<br>
ip -s xfrm policy | grep mark<br>
mark 97/0xffffffff<br>
.... I can see mark's ID from 97 to 1<br>
mark 1/0xffffffff<br>
<br>
ip -s xfrm policy<br>
src 10.50.254.58/32 dst 10.50.3.167/32 proto tcp dport 8080 uid 0<br>
dir fwd action allow index 2231778 priority 2816 ptype main
share any flag (0x00000000)<br>
lifetime config:<br>
limit: soft (INF)(bytes), hard (INF)(bytes)<br>
limit: soft (INF)(packets), hard (INF)(packets)<br>
expire add: soft 0(sec), hard 0(sec)<br>
expire use: soft 0(sec), hard 0(sec)<br>
lifetime current:<br>
0(bytes), 0(packets)<br>
add 2017-01-28 05:08:58 use -<br>
mark 97/0xffffffff<br>
tmpl src XX.XX.98.33 dst X.X.130.56<br>
proto esp spi 0x00000000(0) reqid 98(0x00000062) mode
tunnel<br>
level required share any <br>
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff<br>
src 10.50.254.58/32 dst 10.50.3.167/32 proto tcp dport 8080 uid 0<br>
dir in action allow index 2231768 priority 2816 ptype main
share any flag (0x00000000)<br>
lifetime config:<br>
limit: soft (INF)(bytes), hard (INF)(bytes)<br>
limit: soft (INF)(packets), hard (INF)(packets)<br>
expire add: soft 0(sec), hard 0(sec)<br>
expire use: soft 0(sec), hard 0(sec)<br>
lifetime current:<br>
0(bytes), 0(packets)<br>
add 2017-01-28 05:08:58 use -<br>
mark 97/0xffffffff<br>
tmpl src XX.XX.98.33 dst X.X.130.56<br>
proto esp spi 0x00000000(0) reqid 98(0x00000062) mode
tunnel<br>
level required share any <br>
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff<br>
src 10.50.3.167/32 dst 10.50.254.58/32 proto tcp sport 8080 uid 0<br>
dir out action allow index 2231761 priority 2816 ptype main
share any flag (0x00000000)<br>
lifetime config:<br>
limit: soft (INF)(bytes), hard (INF)(bytes)<br>
limit: soft (INF)(packets), hard (INF)(packets)<br>
expire add: soft 0(sec), hard 0(sec)<br>
expire use: soft 0(sec), hard 0(sec)<br>
lifetime current:<br>
0(bytes), 0(packets)<br>
add 2017-01-28 05:08:58 use -<br>
mark 97/0xffffffff<br>
tmpl src X.X.130.56 dst XX.XX.98.33<br>
proto esp spi 0x00000000(0) reqid 98(0x00000062) mode
tunnel<br>
level required share any <br>
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff<br>
src 10.50.254.58/32 dst 10.50.3.157/32 uid 0<br>
dir fwd action allow index 2231754 priority 2819 ptype main
share any flag (0x00000000)<br>
lifetime config:<br>
limit: soft (INF)(bytes), hard (INF)(bytes)<br>
limit: soft (INF)(packets), hard (INF)(packets)<br>
expire add: soft 0(sec), hard 0(sec)<br>
expire use: soft 0(sec), hard 0(sec)<br>
lifetime current:<br>
0(bytes), 0(packets)<br>
add 2017-01-28 05:08:58 use -<br>
mark 97/0xffffffff<br>
tmpl src XX.XX.98.33 dst X.X.130.56<br>
proto esp spi 0x00000000(0) reqid 98(0x00000062) mode
tunnel<br>
level required share any <br>
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff<br>
src 10.50.254.58/32 dst 10.50.3.157/32 uid 0<br>
dir in action allow index 2231744 priority 2819 ptype main
share any flag (0x00000000)<br>
lifetime config:<br>
limit: soft (INF)(bytes), hard (INF)(bytes)<br>
limit: soft (INF)(packets), hard (INF)(packets)<br>
expire add: soft 0(sec), hard 0(sec)<br>
expire use: soft 0(sec), hard 0(sec)<br>
lifetime current:<br>
0(bytes), 0(packets)<br>
add 2017-01-28 05:08:58 use -<br>
mark 97/0xffffffff<br>
tmpl src XX.XX.98.33 dst X.X.130.56<br>
proto esp spi 0x00000000(0) reqid 98(0x00000062) mode
tunnel<br>
level required share any <br>
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff<br>
src 10.50.3.157/32 dst 10.50.254.58/32 uid 0<br>
dir out action allow index 2231737 priority 2819 ptype main
share any flag (0x00000000)<br>
lifetime config:<br>
limit: soft (INF)(bytes), hard (INF)(bytes)<br>
limit: soft (INF)(packets), hard (INF)(packets)<br>
expire add: soft 0(sec), hard 0(sec)<br>
expire use: soft 0(sec), hard 0(sec)<br>
lifetime current:<br>
0(bytes), 0(packets)<br>
add 2017-01-28 05:08:58 use -<br>
mark 97/0xffffffff<br>
tmpl src X.X.130.56 dst XX.XX.98.33<br>
proto esp spi 0x00000000(0) reqid 98(0x00000062) mode
tunnel<br>
level required share any <br>
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff<br>
#########################################<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">On 01/23/2017 12:49 PM, Oleksandr
Yermolenko wrote:<br>
</div>
<blockquote
cite="mid:3adadfc8-dd79-c166-d820-1b69e897f82c@sumix.com"
type="cite">
<meta http-equiv="content-type" content="text/html;
charset=utf-8">
<p>Hi,</p>
<p>VTI-configured servers (OS CentOS7 updated) according to <a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN">https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN</a>.
It works.</p>
<p>Pure IPSec. (without L2TPs)<br>
</p>
<p><br>
</p>
<p>But periodically customers (dynamic) possess the same subnet.</p>
<p>There is another guide <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://strongswan.org/testing/testresults4/ikev2/nat-two-rw-mark/index.html">https://strongswan.org/testing/testresults4/ikev2/nat-two-rw-mark/index.html</a>
<br>
</p>
<p>It's not convenient for me this static solution (customers
now approximately 15 and names can be changed).</p>
<p><br>
</p>
<p>Tried to follow <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://wiki.strongswan.org/projects/strongswan/wiki/Connmark">https://wiki.strongswan.org/projects/strongswan/wiki/Connmark</a>
... recompile with --enable-connmark</p>
<p>Very simple implementation ... but for unknown for me reasons
it has not worked out.</p>
<p>Tried standard CentOS7 (3.10.0-514.6.1.el7.x86_64) kernel and
4.9.5-1.el7.elrepo.x86_64 keeping in mind that<br>
</p>
<p>"<em><strong>Disclaimer:</strong> VTI devices are supported
since the Linux 3.6 kernel, but some important changes were
added later (3.15+). The information below might not be
accurate for older kernel versions.</em>"</p>
<p><br>
</p>
<p>The question: may someone knows the way how to configure
marks "on fly", per customer.</p>
<p><br>
</p>
<pre>--
Best regards
Oleksandr
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Users mailing list
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>
<a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a></pre>
</blockquote>
<br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a>
<a class="moz-txt-link-freetext" href="https://lists.strongswan.org/mailman/listinfo/users">https://lists.strongswan.org/mailman/listinfo/users</a></pre>
</blockquote>
<br>
</body>
</html>