[strongSwan] Multiple tunnels between same peer

Andreas Steffen andreas.steffen at strongswan.org
Wed Jul 13 14:59:42 CEST 2011 

Hi Meera,

try to set the marks in the PREROUTING chain as in my DiffServ
example scenario:

http://www.strongswan.org/uml/testresults/ikev2/net2net-psk-dscp/console.log

And follow Martin's recommendation to use the same marks in the
inbound and outbound direction.

Regards

Andreas

On 13.07.2011 12:45, Meera Sudhakar wrote:
> Hi Martin,
>  
> Well I'm not exactly sure how but it does not seem to have any problem
> in sending the packets correctly. When there is no marking, the packets
> go just fine with the values I have given for the subnets (the ones
> you've pasted in your mail). So I thought this wouldn't be a problem.
>  
> Pasting a part of tcpdump here when tunnels are created without marking:
> 23:10:20.699173 IP 192.168.255.77 > 192.168.255.75
> <http://192.168.255.75>: ESP(spi=0xc1862a7a,seq=0x3b), length 164
> 23:10:21.699124 IP 192.168.255.75 > 192.168.255.77
> <http://192.168.255.77>: ESP(spi=0xc5d25503,seq=0x3c), length 164
> # ipsec status
> Security Associations:
>      tunnel1[2]: ESTABLISHED 5 minutes ago, 192.168.255.77[C=CH,
> O=strongSwan, CN=192.168.255.77]...192.168.255.75[C=CH, O=strongSwan,
> CN=192.168.255.75]
>      tunnel1{1}:  INSTALLED, TUNNEL, ESP SPIs: c5d25503_i c1862a7a_o
>      tunnel1{1}:   192.168.255.0/24 <http://192.168.255.0/24> ===
> 192.168.255.0/24 <http://192.168.255.0/24>
> Also, replacing mark_in and mark_out with mark in ipsec.conf still gives
> the same result. I shall see if there is anything else I can do though.
>  
> Thanks and regards,
> Meera
> 
> On Wed, Jul 13, 2011 at 12:58 PM, Martin Willi <martin at strongswan.org
> <mailto:martin at strongswan.org>> wrote:
> 
>     Hi,
> 
>     >         leftsubnet=192.168.255.0/24 <http://192.168.255.0/24>
>     >         rightsubnet=192.168.255.0/24 <http://192.168.255.0/24>
> 
>     How should the routing work if you have the same subnet on both ends of
>     the tunnel? Where should a gateway send such packets to?
> 
>     >         mark_in=11
>     >         mark_out=10
> 
>     Using the same mark for in and out is probably simpler, you can set both
>     marks by using:
> 
>              mark=10
> 
>     Regards
>     Martin
> 
> 
> 
> 
> 
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users


-- 
======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list