[strongSwan] strongswan routing

Andreas Steffen andreas.steffen at strongswan.org
Thu Jun 16 10:01:37 CEST 2011 

Yeah, the marks should show up both in the IPsec policies and
the IPsec SAs as in this example:

http://www.strongswan.org/uml/testresults45/ikev2/net2net-same-nets/sun.ip.policy

You can send me your updown script but because I'm abroad right now
I won't have time to look at it before Monday.

Regards

Andreas

On 06/15/2011 04:51 PM, Alexandre Chapellon wrote:
> Thanks Andreas.
>
> It now works as expected.
> The only thing is when doing ip xfrm policy ls I can't see any reference
> to the mark sepcified by mark_in (I have no mark_out).
>
> ip -s xfrm policy ls
> src 172.17.2.0/24 dst 172.20.16.0/24 uid 0
> dir fwd action allow index 27594 priority 1760 ptype main share any flag
> (0x00000000)
> lifetime config:
> limit: soft (INF)(bytes), hard (INF)(bytes)
> limit: soft (INF)(packets), hard (INF)(packets)
> expire add: soft 0(sec), hard 0(sec)
> expire use: soft 0(sec), hard 0(sec)
> lifetime current:
> 0(bytes), 0(packets)
> add 2011-06-15 16:43:58 use 2011-06-15 16:44:01
> tmpl src 77.205.210.149 dst 217.112.53.229
> proto esp spi 0x00000000(0) reqid 12(0x0000000c) mode tunnel
> level required share any
> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
> src 172.17.2.0/24 dst 172.20.16.0/24 uid 0
> dir in action allow index 27584 priority 1760 ptype main share any flag
> (0x00000000)
> lifetime config:
> limit: soft (INF)(bytes), hard (INF)(bytes)
> limit: soft (INF)(packets), hard (INF)(packets)
> expire add: soft 0(sec), hard 0(sec)
> expire use: soft 0(sec), hard 0(sec)
> lifetime current:
> 0(bytes), 0(packets)
> add 2011-06-15 16:43:58 use -
> tmpl src 77.205.210.149 dst 217.112.53.229
> proto esp spi 0x00000000(0) reqid 12(0x0000000c) mode tunnel
> level required share any
> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
> src 172.20.16.0/24 dst 172.17.2.0/24 uid 0
> dir out action allow index 27577 priority 1760 ptype main share any flag
> (0x00000000)
> lifetime config:
> limit: soft (INF)(bytes), hard (INF)(bytes)
> limit: soft (INF)(packets), hard (INF)(packets)
> expire add: soft 0(sec), hard 0(sec)
> expire use: soft 0(sec), hard 0(sec)
> lifetime current:
> 0(bytes), 0(packets)
> add 2011-06-15 16:43:58 use 2011-06-15 16:44:01
> tmpl src 217.112.53.229 dst 77.205.210.149
> proto esp spi 0x00000000(0) reqid 12(0x0000000c) mode tunnel
> level required share any
> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
> src ::/0 dst ::/0 uid 0
> ...
>
> Does it mean any packet matching the policy but without the mark would
> match the policy? or is it mark are not visible with ip xfrm policy ls?
> Is the later is true how can I ensure mark in part of the policy?
>
> Best regards.
>
> P.S: Do you mind if I send my ifupdown sscript for kind of a validation
> from you?
>
> Le 15/06/2011 09:29, Andreas Steffen a écrit :
>> Hello Alexandre,
>>
>> your configuration should look like this:
>>
>> conn customer1
>> rightid=<customer 1 ID>
>> leftsubnet=<VLAN1>
>> mark=10
>> also=gateway
>> auto=add
>>
>> conn customer2
>> rightid=<customer 1 ID>
>> leftsubnet=<VLAN1>
>> mark=20
>> also=gateway
>> auto=add
>>
>> conn gateway
>> right=%any
>> left=<gateway IP or %any>
>> leftcert=<gateway cert>
>> leftid=<gateway ID>
>> leftupdown=/etc/mark_updown
>>
>> assuming that your clients have dynamic IP addresses so
>> that you must resort to the peer ID to identify the clients.
>> You then need a customized mark_updown scripts which uses
>> NETMAP to translate the peer networks based on the peer
>> identities. You can start from the following scripts:
>>
>> http://git.strongswan.org/?p=strongswan.git;a=blob;f=testing/tests/ikev2/net2net-same-nets/hosts/sun/etc/mark_updown;h=c64158a2f876e79ae2f43c4342d3c2956b483a9d;hb=HEAD
>>
>>
>> although the scenario is slightly different.
>>
>> Regards
>>
>> Andreas
>>
>> On 06/13/2011 03:10 PM, Alexandre Chapellon wrote:
>>> Here is something concrete:
>>>
>>>
>>> | cutomer1 LAN | ipsectun1 VLAN1
>>> |_192.168.1/24_|============| STRONGSWAN |----------|_customer1_hosted_|
>>> | |
>>> | VPN |
>>> | |
>>> | 192.168.1/24 |============|__GATEWAY___|----------|_customer2_hosted_|
>>> |_cutomer2_LAN_| ipsectun2 VLAN2
>>>
>>>
>>>
>>> Should be better... hopefully.

======================================================================
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution!                www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==

More information about the Users mailing list