[strongSwan] Problem About Dscp Support in scenario of "end to end" tunnel

David Deng david.live.koo at gmail.com
Thu Jul 28 05:44:30 CEST 2011 

Hi Martin and Andreas,

My old friends,  Thanks for you help!

Currently, When I investigate the DSCP support of Strongswan,  I encountered
the following problem.

Firstly, Let me describe the Test Environment we built.

1) we use the end to end mode.
2) we use strongswan based on V4.5.2
3) Topo is:

Server (172.19.2.101, additional ip - 10.0.2.6) <---------> Client
(172.19.2.97)
4) configuration is:
 ---> Client side:
config setup
    strictcrlpolicy=no
    plutostart=no

conn %default
    ike=3des-aesxcbc-modp1024!
    esp=3des-aesxcbc!
    ikelifetime=24h
    keyexchange=ikev2

conn rw-eapaka
    left=172.19.2.99
    leftsubnet=192.168.253.0/24
    leftid=yyy.femtoforum.org
    leftcert=/etc/ipsec.d/certs/segw.pem
    leftfirewall=yes
    lefthostaccess=yes
    right=%any
    rightid=xxx.femtoforum.org
    rightcert=/etc/ipsec.d/certs/hnodeb.pem
    rightsendcert=never
    rightsourceip=10.0.2.3
    auto=start


---> server side
config setup
    strictcrlpolicy=no
    plutostart=no

conn %default
    ikelifetime=24h
    keylife=60m
    keyexchange=ikev2
    dpdaction=clear
    dpddelay=20m

conn FAP0
    left=172.19.2.101
    leftsourceip=%config
    leftid=xxx.femtoforum.org
    leftcert=/etc/ipsec.d/certs/hnodeb.pem
    mark=10
    right=172.19.2.97
    rightsubnet=0.0.0.0/0
    rightid=yyy.femtoforum.org
    rightcert=/etc/ipsec.d/certs/segw.pem
    auto=add
5) iptable rules setting:  (set in two sides)
iptables -F
iptables -X
iptables -Z
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT

iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp 10
iptables -t mangle -A OUTPUT -p icmp -m dscp --dscp 10 -j MARK --set-mark 10



Test Result:

1)  tunnel can be established successfully
[IKE] assigning virtual IP 10.0.2.3 to peer 'xxx.femtoforum.org'
[IKE] CHILD_SA FAP0{1} established with SPIs c7b51e9f_i c7e26a4a_o and TS
0.0.0.0/0 === 10.0.2.3/32

2)  when we initiate one ping from server side
# ping 10.0.2.3

we can see the ESP package which is icmp request, but we can't found any
response from peer.

Can you both give me some clue to find the root cause of this problem?
Thanks!

Look forward for your answer!


Best wishes,
David
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110728/004030e1/attachment.html>

More information about the Users mailing list