[strongSwan] Multiple tunnels between same peer
Meera Sudhakar
mira.sudhakar at gmail.com
Thu Jul 14 13:36:53 CEST 2011
Hi Andreas,
Thanks for the suggestion. I tried it out, but marking in PREROUTING does
not send the packets through the tunnel (tcpdump shows it is not encrypted).
00:24:54.806215 IP 192.168.255.75 > 192.168.255.77: ICMP echo request, id
9330, seq 40, length 64
00:24:55.814320 IP 192.168.255.75 > 192.168.255.77: ICMP echo request, id
9330, seq 41, length 64
00:24:56.822434 IP 192.168.255.75 > 192.168.255.77: ICMP echo request, id
9330, seq 42, length 64
When I set the mark in OUTPUT, I at least see a one-way flow of encrypted
packets (through the tunnel that also has the same marking). There are still
no acknowledgement packets. I saw that it is working fine in the example you
mentioned though.
Do you know of anything else I can try?
Thankyou!
Meera
On Wed, Jul 13, 2011 at 6:29 PM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:
> Hi Meera,
>
> try to set the marks in the PREROUTING chain as in my DiffServ
> example scenario:
>
>
> http://www.strongswan.org/uml/testresults/ikev2/net2net-psk-dscp/console.log
>
> And follow Martin's recommendation to use the same marks in the
> inbound and outbound direction.
>
> Regards
>
> Andreas
>
> On 13.07.2011 12:45, Meera Sudhakar wrote:
> > Hi Martin,
> >
> > Well I'm not exactly sure how but it does not seem to have any problem
> > in sending the packets correctly. When there is no marking, the packets
> > go just fine with the values I have given for the subnets (the ones
> > you've pasted in your mail). So I thought this wouldn't be a problem.
> >
> > Pasting a part of tcpdump here when tunnels are created without marking:
> > 23:10:20.699173 IP 192.168.255.77 > 192.168.255.75
> > <http://192.168.255.75>: ESP(spi=0xc1862a7a,seq=0x3b), length 164
> > 23:10:21.699124 IP 192.168.255.75 > 192.168.255.77
> > <http://192.168.255.77>: ESP(spi=0xc5d25503,seq=0x3c), length 164
> > # ipsec status
> > Security Associations:
> > tunnel1[2]: ESTABLISHED 5 minutes ago, 192.168.255.77[C=CH,
> > O=strongSwan, CN=192.168.255.77]...192.168.255.75[C=CH, O=strongSwan,
> > CN=192.168.255.75]
> > tunnel1{1}: INSTALLED, TUNNEL, ESP SPIs: c5d25503_i c1862a7a_o
> > tunnel1{1}: 192.168.255.0/24 <http://192.168.255.0/24> ===
> > 192.168.255.0/24 <http://192.168.255.0/24>
> > Also, replacing mark_in and mark_out with mark in ipsec.conf still gives
> > the same result. I shall see if there is anything else I can do though.
> >
> > Thanks and regards,
> > Meera
> >
> > On Wed, Jul 13, 2011 at 12:58 PM, Martin Willi <martin at strongswan.org
> > <mailto:martin at strongswan.org>> wrote:
> >
> > Hi,
> >
> > > leftsubnet=192.168.255.0/24 <http://192.168.255.0/24>
> > > rightsubnet=192.168.255.0/24 <http://192.168.255.0/24>
> >
> > How should the routing work if you have the same subnet on both ends
> of
> > the tunnel? Where should a gateway send such packets to?
> >
> > > mark_in=11
> > > mark_out=10
> >
> > Using the same mark for in and out is probably simpler, you can set
> both
> > marks by using:
> >
> > mark=10
> >
> > Regards
> > Martin
> >
> >
> >
> >
> >
> > _______________________________________________
> > Users mailing list
> > Users at lists.strongswan.org
> > https://lists.strongswan.org/mailman/listinfo/users
>
>
> --
> ======================================================================
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110714/dc71645f/attachment.html>
More information about the Users
mailing list