[strongSwan] Multiple tunnels between same peer
Meera Sudhakar
mira.sudhakar at gmail.com
Wed Jul 13 12:45:48 CEST 2011
Hi Martin,
Well I'm not exactly sure how but it does not seem to have any problem in
sending the packets correctly. When there is no marking, the packets go just
fine with the values I have given for the subnets (the ones you've pasted in
your mail). So I thought this wouldn't be a problem.
Pasting a part of tcpdump here when tunnels are created without marking:
23:10:20.699173 IP 192.168.255.77 > 192.168.255.75:
ESP(spi=0xc1862a7a,seq=0x3b), length 164
23:10:21.699124 IP 192.168.255.75 > 192.168.255.77:
ESP(spi=0xc5d25503,seq=0x3c), length 164
# ipsec status
Security Associations:
tunnel1[2]: ESTABLISHED 5 minutes ago, 192.168.255.77[C=CH,
O=strongSwan, CN=192.168.255.77]...192.168.255.75[C=CH, O=strongSwan,
CN=192.168.255.75]
tunnel1{1}: INSTALLED, TUNNEL, ESP SPIs: c5d25503_i c1862a7a_o
tunnel1{1}: 192.168.255.0/24 === 192.168.255.0/24
Also, replacing mark_in and mark_out with mark in ipsec.conf still gives the
same result. I shall see if there is anything else I can do though.
Thanks and regards,
Meera
On Wed, Jul 13, 2011 at 12:58 PM, Martin Willi <martin at strongswan.org>wrote:
> Hi,
>
> > leftsubnet=192.168.255.0/24
> > rightsubnet=192.168.255.0/24
>
> How should the routing work if you have the same subnet on both ends of
> the tunnel? Where should a gateway send such packets to?
>
> > mark_in=11
> > mark_out=10
>
> Using the same mark for in and out is probably simpler, you can set both
> marks by using:
>
> mark=10
>
> Regards
> Martin
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110713/bbf18e85/attachment.html>
More information about the Users
mailing list