<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>No one?<br>
<br>
I also found below when googling<br>
<br>
<span style="color: rgb(34, 34, 34); font-family: 'Helvetica
Neue', Arial, sans-serif; font-size: 15px; font-style: normal;
font-variant: normal; font-weight: normal; letter-spacing:
normal; line-height: 20px; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 1; word-spacing: 0px; -webkit-text-stroke-width: 0px;
display: inline !important; float: none;">Summary:</span><br
style="color: rgb(34, 34, 34); font-family: 'Helvetica Neue',
Arial, sans-serif; font-size: 15px; font-style: normal;
font-variant: normal; font-weight: normal; letter-spacing:
normal; line-height: 20px; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 1; word-spacing: 0px; -webkit-text-stroke-width: 0px;">
<span style="color: rgb(34, 34, 34); font-family: 'Helvetica
Neue', Arial, sans-serif; font-size: 15px; font-style: normal;
font-variant: normal; font-weight: normal; letter-spacing:
normal; line-height: 20px; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 1; word-spacing: 0px; -webkit-text-stroke-width: 0px;
display: inline !important; float: none;">For marks to work
correctly, you need to:</span><br style="color: rgb(34, 34, 34);
font-family: 'Helvetica Neue', Arial, sans-serif; font-size:
15px; font-style: normal; font-variant: normal; font-weight:
normal; letter-spacing: normal; line-height: 20px; orphans:
auto; text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: 1; word-spacing: 0px;
-webkit-text-stroke-width: 0px;">
<span style="color: rgb(34, 34, 34); font-family: 'Helvetica
Neue', Arial, sans-serif; font-size: 15px; font-style: normal;
font-variant: normal; font-weight: normal; letter-spacing:
normal; line-height: 20px; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 1; word-spacing: 0px; -webkit-text-stroke-width: 0px;
display: inline !important; float: none;">*Mark esp packets or
espinudp packets in *mangle PREROUTING or *mangle INPUT.</span><br
style="color: rgb(34, 34, 34); font-family: 'Helvetica Neue',
Arial, sans-serif; font-size: 15px; font-style: normal;
font-variant: normal; font-weight: normal; letter-spacing:
normal; line-height: 20px; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 1; word-spacing: 0px; -webkit-text-stroke-width: 0px;">
<span style="color: rgb(34, 34, 34); font-family: 'Helvetica
Neue', Arial, sans-serif; font-size: 15px; font-style: normal;
font-variant: normal; font-weight: normal; letter-spacing:
normal; line-height: 20px; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 1; word-spacing: 0px; -webkit-text-stroke-width: 0px;
display: inline !important; float: none;">*Mark traffic that is
just forwarded on the box in *mangle POSTROUTING</span><br
style="color: rgb(34, 34, 34); font-family: 'Helvetica Neue',
Arial, sans-serif; font-size: 15px; font-style: normal;
font-variant: normal; font-weight: normal; letter-spacing:
normal; line-height: 20px; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 1; word-spacing: 0px; -webkit-text-stroke-width: 0px;">
<span style="color: rgb(34, 34, 34); font-family: 'Helvetica
Neue', Arial, sans-serif; font-size: 15px; font-style: normal;
font-variant: normal; font-weight: normal; letter-spacing:
normal; line-height: 20px; orphans: auto; text-align: start;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 1; word-spacing: 0px; -webkit-text-stroke-width: 0px;
display: inline !important; float: none;">*Mark traffic that
originates from the box in *mangle OUTPUT<br>
<br>
This doesnt seem completely right on my gateway. For instance
traffic originating from the gateway both mangle OUTPUT and
POSTROUTING is needing the MARK target, and for forwarding
traffic from other clients mangle PREROUTING is needed (both for
the ESP/ESPINUDP packets from the peer and for the local subnets
that are forwarded). mangle FORWARD doesn't seem to have any
effect at all.<br>
However, ,I seem to have problems to make this work with a
0.0.0.0/0 == 0.0.0.0/0 TS, as long as leftsubnet is ie
10.1.1.0/26 it works (one of local subnets), but as I change to
0.0.0.0/0 it stops working (only the actual gateway can get
through traffic then). I don't really seem to understand why
though...</span><br style="color: rgb(34, 34, 34); font-family:
'Helvetica Neue', Arial, sans-serif; font-size: 15px;
font-style: normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: 20px; orphans: auto;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: 1; word-spacing: 0px;
-webkit-text-stroke-width: 0px;">
</p>
<br>
<div class="moz-cite-prefix">Den 2017-08-20 kl. 12:16, skrev Dusan
Ilic:<br>
</div>
<blockquote type="cite"
cite="mid:48d49af2-af95-5b55-b6a2-b2cd49c405e0@comhem.se">This
works when pinging between clients
<br>
<br>
TS 10.1.1.0/26 == 10.0.0.0/24 [mark=10]
<br>
TS 10.1.1.0/26 == 0.0.0.0/0 [mark=10]
<br>
<br>
This doesnt work when picking between clients
<br>
<br>
TS 0.0.0.0/0 == 0.0.0.0/0 [mark=10]
<br>
<br>
Below is the IPtable-rules
<br>
<br>
iptables -t mangle -A PREROUTING -i vlan847 -p udp --sport 4500 -s
x.x.x.x -d x.x.x.x -j MARK --set-mark 10
<br>
iptables -t mangle -A PREROUTING -i br0 -s 10.1.1.0/26 -d
10.0.0.0/24 -j MARK --set-mark 10
<br>
iptables -t mangle -A OUTPUT -o vlan847 -s 10.1.1.0/26 -d
10.0.0.0/24 -j MARK --set-mark 10
<br>
iptables -t mangle -A POSTROUTING -o vlan847 -s 10.1.1.0/26 -d
10.0.0.0/24 -m policy --dir out --pol ipsec --proto esp -j MARK
--set-mark 10
<br>
<br>
It seems like it work as long the local TS is not leftsubnet=
0.0.0.0/0.
<br>
Do anyone know why?
<br>
Pinging between the IP-sec gateways work in each scenarios.
<br>
<br>
<br>
Den 2017-08-19 kl. 03:30, skrev Dusan Ilic:
<br>
<blockquote type="cite">
<br>
Some updates, if I change the tunnel that is not working from
0.0.0.0 == 10.0.0.0/24 to 10.1.1.0/26 == 10.0.0.0/24 all starts
working, together with the 0.0.0.0 tunnel and also the pings
from the clients work. I feel like I'm doing something wrong?
<br>
I would like leftsubnet to be 0.0.0.0, so that I can mark
whatever local network I want to route through that tunnel to
10.0.0.0/24, and also at the 10.0.0.0/24 network there is a VTI
setup with TS 0.0.0.0/0 == 0.0.0.0/0, if I change leftsubnet on
this side to 10.1.1.0/26 that won't work from the other side.
<br>
<br>
So why does it interfere with one tunnel 0.0.0.0/0 == 0.0.0.0/0
[mark=10] and another tunnel 10.1.1.10/26 == 0.0.0.0/0 without
any marks?
<br>
<br>
<br>
Den 2017-08-19 kl. 03:01, skrev Dusan Ilic:
<br>
<blockquote type="cite">Hi!
<br>
<br>
I'm trying out some things and have two problems.
<br>
<br>
1. I'm having "mark=10" in the connection definition in
ipsec.conf, and left/right 0.0.0.0/0. With below IPtables
rules I can ping from the two IPsec gateways, but I cannot
ping from other clients behind the gateways or from the
gatways to client behind the other gateway.
<br>
<br>
iptables -t mangle -A PREROUTING -i vlan847 -p udp --sport
4500 -s x.x.x.x -d x.x.x.x -j MARK --set-mark 10
<br>
iptables -t mangle -A OUTPUT -o vlan847 -s 10.1.1.0/26 -d
10.0.0.0/24 -j MARK --set-mark 10
<br>
iptables -t mangle -A FORWARD -i br0 -o vlan847 -s
10.1.1.0/26 -d 10.0.0.0/24 -j MARK --set-mark 10
<br>
iptables -t mangle -A FORWARD -o br0 -i vlan847 -d
10.1.1.0/26 -s 10.0.0.0/24 -j MARK --set-mark 10
<br>
iptables -t mangle -A POSTROUTING -o vlan847 -s 10.1.1.0/26 -d
10.0.0.0/24 -m policy --dir out --pol ipsec --proto esp -j
MARK --set-mark 10
<br>
<br>
Reference:
<a class="moz-txt-link-freetext" href="https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN#Marks-on-Linux">https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN#Marks-on-Linux</a><br>
<br>
Maybe you see what I'm doing wrong?
<br>
<br>
2. I have a couple of tunnels active, one of which have
rightsubnet=0.0.0.0. So i'm sending all internet traffic from
one gateway to another, but when I'm doing this one other
specific tunnel stops responding. When I disable the 0.0.0.0
tunnel, it starts responding. It's like that specific tunnels
rightsubnet is ignored and going through the 0.0.0.0 tunnel,
while other active tunnels work.
<br>
The only special thing about the tunnel that doesnt work is
that its a VTI on the other endpoint, and on the local side
the TS is 0.0.0.0/0 == 10.0.0.0/24, while the other tunnels
are 10.1.1.0/26 == [some other subnet]. So when the 0.0.0.0
tunnel is enabled, pings to 10.0.0.0/24 network times out, but
the work to other subnets, and when I disable the 0.0.0.0
tunnel the pings starts working again.
<br>
Any ideas?
<br>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>