[strongSwan] Traffic with dscp marking (other than BE) not going through IPsec tunnel
Meera Sudhakar
mira.sudhakar at gmail.com
Mon Nov 14 08:46:44 CET 2011
Hi,
My aim is to create two IPsec tunnels using strongSwan between two
end-points, each having a different dscp marking (like say EF, BE, AF31
etc). Right now, I see that when I set the dscp marking as BE (default),
the traffic goes through the designated IPsec tunnel. When I use anything
else, the traffic reaches the other end-point in plain-text (there is no
encryption). I tried refering to your example in
http://www2.strongswan.org/uml/testresults46rc/ikev2/net2net-psk-dscp/index.html.
I see that you are able to send encrypted traffic with dscp marking EF and
BE. I believe that the reason dscp-marked traffic does not flow through a
tunnel could be because the tunnel does not have the 'capability' to handle
that particular dscp-marking. Could you please let me know if this is the
case, and also if there is anything I need to change (kernel version,
strongSwan version, config file) to get this working. I have pasted the
details of my end-points below, with dscp set to EF:
linux kernel version on both end-points: 2.6.35
strongSwan version on both end-points: 4.5.2-1
*End-point1:*
# cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
#plutostderrlog=/var/log/syslog
# plutodebug=control
# crlcheckinterval=600
strictcrlpolicy=no
# cachecrls=yes
# nat_traversal=yes
charonstart=yes
charondebug=control
plutostart=no
# Add connections here.
ca strongswan
cacert=caCert.der
auto=add
conn %default
type=tunnel
left=169.254.0.70
leftcert=VC1Cert.der
right=169.254.1.70
#rightid="C=CH, O=strongSwan, CN=169.254.1.70"
keyexchange=ikev2
auto=start
conn tunnel1
leftid=@VC1-tunnel1
rightid=@VC2-tunnel1
leftsubnet=169.254.0.0/24
rightsubnet=169.254.1.0/24
mark=10
conn tunnel2
leftid=@VC1-tunnel2
rightid=@VC2-tunnel2
leftsubnet=169.254.0.0/24
rightsubnet=169.254.1.0/24
mark=20
# ipsec status
Security Associations:
tunnel1[1]: ESTABLISHED 37 seconds ago,
169.254.0.70[VC1-tunnel1]...169.254.1.70[VC2-tunnel1]
tunnel1{3}: INSTALLED, TUNNEL, ESP SPIs: c4b5ea2d_i c7cc7624_o
tunnel1{3}: 169.254.0.0/24 === 169.254.1.0/24
tunnel2[2]: ESTABLISHED 37 seconds ago,
169.254.0.70[VC1-tunnel2]...169.254.1.70[VC2-tunnel2]
tunnel2{4}: INSTALLED, TUNNEL, ESP SPIs: c9c8850e_i c7b5d498_o
tunnel2{4}: 169.254.0.0/24 === 169.254.1.0/24
# iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
MARK all -- anywhere anywhere DSCP match
0x2eMARK set 0xa
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
MARK all -- anywhere anywhere DSCP match
0x2eMARK set 0xa
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
# ping 169.254.1.70
PING 169.254.1.70 (169.254.1.70) 56(84) bytes of data.
64 bytes from 169.254.1.70: icmp_req=1 ttl=63 time=0.192 ms
64 bytes from 169.254.1.70: icmp_req=2 ttl=63 time=0.129 ms
^C
--- 169.254.1.70 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.129/0.160/0.192/0.033 ms
*End-point 2:*
# cat /etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# plutodebug=control
# crlcheckinterval=600
strictcrlpolicy=no
# cachecrls=yes
# nat_traversal=yes
charonstart=yes
plutostart=no
charondebug=control
# Add connections here.
ca strongswan
cacert=caCert.der
auto=add
conn %default
type=tunnel
left=169.254.1.70
leftcert=VC2Cert.der
right=169.254.0.70
#rightid="C=CH, O=strongSwan, CN=169.254.0.70"
keyexchange=ikev2
auto=start
conn tunnel1
leftid=@VC2-tunnel1
rightid=@VC1-tunnel1
leftsubnet=169.254.1.0/24
rightsubnet=169.254.0.0/24
mark=10
conn tunnel2
leftid=@VC2-tunnel2
rightid=@VC1-tunnel2
leftsubnet=169.254.1.0/24
rightsubnet=169.254.0.0/24
mark=20
# ipsec status
Security Associations:
tunnel1[3]: ESTABLISHED 44 seconds ago,
169.254.1.70[VC2-tunnel1]...169.254.0.70[VC1-tunnel1]
tunnel1{3}: INSTALLED, TUNNEL, ESP SPIs: c7cc7624_i c4b5ea2d_o
tunnel1{3}: 169.254.1.0/24 === 169.254.0.0/24
tunnel2[4]: ESTABLISHED 44 seconds ago,
169.254.1.70[VC2-tunnel2]...169.254.0.70[VC1-tunnel2]
tunnel2{4}: INSTALLED, TUNNEL, ESP SPIs: c7b5d498_i c9c8850e_o
tunnel2{4}: 169.254.1.0/24 === 169.254.0.0/24
# iptables -L -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
MARK all -- anywhere anywhere DSCP match
0x2eMARK set 0xa
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
MARK all -- anywhere anywhere DSCP match
0x2eMARK set 0xa
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
# tcpdump -i eth2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
01:07:43.492130 IP 169.254.0.70 > 169.254.1.70: ICMP echo request, id
27015, seq 1, length 64
01:07:43.492162 IP 169.254.1.70 > 169.254.0.70: ICMP echo reply, id 27015,
seq 1, length 64
01:07:44.491104 IP 169.254.0.70 > 169.254.1.70: ICMP echo request, id
27015, seq 2, length 64
01:07:44.491140 IP 169.254.1.70 > 169.254.0.70: ICMP echo reply, id 27015,
seq 2, length 64
Could you please let me know if there is anything more I need to do? The
above works fine only when dscp is set to BE.
Thanks and regards,
Meera
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111114/18a0e290/attachment.html>
More information about the Users
mailing list