[strongSwan] Multiple tunnels between same peer

Meera Sudhakar mira.sudhakar at gmail.com
Wed May 25 11:05:49 CEST 2011 

Hi Martin,

Sorry for the late response. I was caught up with some other tasks and did
not get time to work on this.

As you mentioned, my IPs did not match initially. Now they do, and I see
that encrypted traffic is passing between the end points. But I see that all
the traffic uses tunnel 2 and not tunnel 1 (going by the SPI). Do you have
any idea why this happens?

Also, I tried to look into the "mark" option you had mentioned, but somehow
I couldn't get any clear info. All I got is, ipsec.conf.5 has the parameters
"mark", "mark_in" and "mark_out", and these set xfrm marks on the SAs. The
iptables are automatically updated. But I could not find any info on how to
use them. Is there any link you can share? Some examples from the strongswan
website (http://www.strongswan.org/uml/testresults/ikev2/rw-mark-in-out/)
showed me that they are used as below in ipsec.conf of the peer:

conn alice
 rightid=alice at strongswan.org
 mark_in=10/0xffffffff
 mark_out=11/0xffffffff
 also=sun
 auto=add
conn venus
 rightid=@venus.strongswan.org
 mark_in=20  #0xffffffff is used by default
 mark_out=21 #0xffffffff is used by default
 also=sun
 auto=add

But I would like to know what these values mean (10, 11, 20, 21) and how
they help in sending traffic through a particular tunnel only. I need to try
and set up multiple tunnels, and then send traffic through each one of them,
and then all of them together, in order to compare performances.

I'd really appreciate some help on this.

Thanks and regards,
Meera

On Wed, May 4, 2011 at 1:57 PM, Martin Willi <martin at strongswan.org> wrote:

>
> > When I try to ping one peer from the other, the packets go across
> > without encryption. In other words, it does not go through either
> > tunnel.
>
> Does your ping use the correct addresses to match your tunnel
> (192.168.10.0/24 === 172.16.10.0/24)?
>
> > can I specify which tunnel should be used for what?
>
> Why do you use two tunnels in the first place?
>
> You can use Netfilter firewall marks to tag traffic using IPtables for a
> specific tunnel. Have a look at the "mark" option in ipsec.conf.5.
>
> Regards
> Martin
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20110525/beea7ead/attachment.html>

More information about the Users mailing list