[strongSwan] Multiple tunnels between same peer

Meera Sudhakar mira.sudhakar at gmail.com
Wed Jul 13 09:08:32 CEST 2011 

Hi Martin,

Sorry for the delay in replying. I didn't get a chance to try this out
for sometime.

Thanks for confirming that. I now have two identical tunnels with markings.
I want to send icmp packets (ping) through tunnel 1 and tcp packets through
tunnel 2. Below is an excerpt of ipsec.conf files:

*On peer 1:*
conn tunnel1
        leftsubnet=192.168.255.0/24
        rightsubnet=192.168.255.0/24
        mark_in=11
        mark_out=10
conn tunnel2
        leftsubnet=192.168.255.0/24
        rightsubnet=192.168.255.0/24
        mark_out=20
        mark_in=21

*On peer 2:*
conn tunnel1
        leftsubnet=192.168.255.0/24
        rightsubnet=192.168.255.0/24
        mark_in=10
        mark_out=11
conn tunnel2
        leftsubnet=192.168.255.0/24
        rightsubnet=192.168.255.0/24
        mark_in=20
        mark_out=21

I also made the following entries in iptables:
*On peer 1:*
iptables -t mangle -A OUTPUT -p icmp -j MARK --set-mark 10
iptables -t mangle -A OUTPUT -p tcp -j MARK --set-mark 20

*On peer 2:*
iptables -t mangle -A OUTPUT -p icmp -j MARK --set-mark 11
iptables -t mangle -A OUTPUT -p tcp -j MARK --set-mark 21

*ipsec status on peer 1:*
Security Associations:
     tunnel1[1]: ESTABLISHED 3 seconds ago, 192.168.255.75[C=CH,
O=strongSwan, CN=192.168.255.75]...192.168.255.77[C=CH, O=strongSwan,
CN=192.168.255.77]
     tunnel1{3}:  INSTALLED, TUNNEL, ESP SPIs: c4ffeb30_i c69da46f_o
     tunnel1{3}:   192.168.255.0/24 === 192.168.255.0/24
     tunnel2{4}:  INSTALLED, TUNNEL, ESP SPIs: c379ebf9_i c35560b4_o
     tunnel2{4}:   192.168.255.0/24 === 192.168.255.0/24
*ipsec status on peer 2:*
Security Associations:
     tunnel1[2]: ESTABLISHED 9 seconds ago, 192.168.255.77[C=CH,
O=strongSwan, CN=192.168.255.77]...192.168.255.75[C=CH, O=strongSwan,
CN=192.168.255.75]
     tunnel1{3}:  INSTALLED, TUNNEL, ESP SPIs: c69da46f_i c4ffeb30_o
     tunnel1{3}:   192.168.255.0/24 === 192.168.255.0/24
     tunnel1{4}:  INSTALLED, TUNNEL, ESP SPIs: c35560b4_i c379ebf9_o
     tunnel1{4}:   192.168.255.0/24 === 192.168.255.0/24

So now I see that I can SEND icmp packets into tunnel 1, and tcp packets
into tunnel 2. The problem is that, I am not able to receive an
acknowledgement for any of these packets, or the packets are getting lost
and not being sent through the tunnels. In other words, packets are always
sent in one direction only. Whether I send tcp or icmp, the packets only GO
across. Nothing gets acknowledged. I can see this using tcpdump:

*When I send icmp packets from peer 1 to 2:*
 19:36:32.957209 IP 192.168.255.75 > 192.168.255.77:
ESP(spi=0xc69da46f,seq=0x43), length 164
19:36:33.965223 IP 192.168.255.75 > 192.168.255.77:
ESP(spi=0xc69da46f,seq=0x44), length 164
19:36:34.973232 IP 192.168.255.75 > 192.168.255.77:
ESP(spi=0xc69da46f,seq=0x45), length 164
19:36:35.981718 IP 192.168.255.75 > 192.168.255.77:
ESP(spi=0xc69da46f,seq=0x46), length 164
*When I send tcp packets from peer 1 to 2:*
19:40:04.783183 IP 192.168.255.75 > 192.168.255.77:
ESP(spi=0xc35560b4,seq=0x3), length 100
19:40:19.281767 IP 192.168.255.75 > 192.168.255.77:
ESP(spi=0xc35560b4,seq=0x4), length 100
19:40:22.287152 IP 192.168.255.75 > 192.168.255.77:
ESP(spi=0xc35560b4,seq=0x5), length 100

I don't know if I'm missing something here, or if I've even done this right
for that matter. Could you please help me out? I have no clue why the
acknowledgements aren't being sent across. The same thing happens if I try
sending packets from peer 2 to 1 (but it uses the other SPI)

Thanks and regards,
Meera

On Thu, Jun 23, 2011 at 12:44 PM, Martin Willi <martin at strongswan.org>wrote:

> Hi Meera,
>
> > But is it possible to have multiple tunnels between the same endpoints
> > (say between Alice and Sun)? I looked around but couldn't find any
> > particular scenario in the link I've mentioned above. Also, even if it
> > is possible to have more than one tunnel between the same end points,
> > will marking of packets help in differentiation, since the destination
> > address of both tunnels will be the same?
>
> Yes, having two identical IPsec tunnels works if you differentiate them
> with unique marks (or masks). You can use iptables rules to assign one
> of the marks to each packet to select the tunnel to use. If you generate
> traffic locally, you could alternatively use the SO_MARK socket option
> to set the mark.
>
> Regards
> Martin
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110713/d5cfa561/attachment.html>

More information about the Users mailing list