[strongSwan] Traffic with dscp marking (other than BE) not going through IPsec tunnel
Andreas Steffen
andreas.steffen at strongswan.org
Tue Nov 15 06:37:07 CET 2011
Hello,
you define only mark 10 but not mark 20. No traffic will go through
the tunnel without a mark (either 10 or 20) set.
Regards
Andreas
On 11/14/2011 08:46 AM, Meera Sudhakar wrote:
> Hi,
>
> My aim is to create two IPsec tunnels using strongSwan between two
> end-points, each having a different dscp marking (like say EF, BE, AF31
> etc). Right now, I see that when I set the dscp marking as BE (default),
> the traffic goes through the designated IPsec tunnel. When I use
> anything else, the traffic reaches the other end-point in plain-text
> (there is no encryption). I tried refering to your example in
> http://www2.strongswan.org/uml/testresults46rc/ikev2/net2net-psk-dscp/index.html.
> I see that you are able to send encrypted traffic with dscp marking EF
> and BE. I believe that the reason dscp-marked traffic does not flow
> through a tunnel could be because the tunnel does not have the
> 'capability' to handle that particular dscp-marking. Could you please
> let me know if this is the case, and also if there is anything I need to
> change (kernel version, strongSwan version, config file) to get this
> working. I have pasted the details of my end-points below, with dscp set
> to EF:
>
> linux kernel version on both end-points: 2.6.35
> strongSwan version on both end-points: 4.5.2-1
>
> _End-point1:_
> # cat /etc/ipsec.conf
> # ipsec.conf - strongSwan IPsec configuration file
> # basic configuration
> config setup
> #plutostderrlog=/var/log/syslog
> # plutodebug=control
> # crlcheckinterval=600
> strictcrlpolicy=no
> # cachecrls=yes
> # nat_traversal=yes
> charonstart=yes
> charondebug=control
> plutostart=no
> # Add connections here.
>
> ca strongswan
> cacert=caCert.der
> auto=add
> conn %default
> type=tunnel
> left=169.254.0.70
> leftcert=VC1Cert.der
> right=169.254.1.70
> #rightid="C=CH, O=strongSwan, CN=169.254.1.70"
> keyexchange=ikev2
> auto=start
> conn tunnel1
> leftid=@VC1-tunnel1 <mailto:leftid=@VC1-tunnel1>
> rightid=@VC2-tunnel1 <mailto:rightid=@VC2-tunnel1>
> leftsubnet=169.254.0.0/24 <http://169.254.0.0/24>
> rightsubnet=169.254.1.0/24 <http://169.254.1.0/24>
> mark=10
> conn tunnel2
> leftid=@VC1-tunnel2 <mailto:leftid=@VC1-tunnel2>
> rightid=@VC2-tunnel2 <mailto:rightid=@VC2-tunnel2>
> leftsubnet=169.254.0.0/24 <http://169.254.0.0/24>
> rightsubnet=169.254.1.0/24 <http://169.254.1.0/24>
> mark=20
>
> # ipsec status
> Security Associations:
> tunnel1[1]: ESTABLISHED 37 seconds ago,
> 169.254.0.70[VC1-tunnel1]...169.254.1.70[VC2-tunnel1]
> tunnel1{3}: INSTALLED, TUNNEL, ESP SPIs: c4b5ea2d_i c7cc7624_o
> tunnel1{3}: 169.254.0.0/24 <http://169.254.0.0/24> ===
> 169.254.1.0/24 <http://169.254.1.0/24>
> tunnel2[2]: ESTABLISHED 37 seconds ago,
> 169.254.0.70[VC1-tunnel2]...169.254.1.70[VC2-tunnel2]
> tunnel2{4}: INSTALLED, TUNNEL, ESP SPIs: c9c8850e_i c7b5d498_o
> tunnel2{4}: 169.254.0.0/24 <http://169.254.0.0/24> ===
> 169.254.1.0/24 <http://169.254.1.0/24>
>
> # iptables -L -t mangle
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> MARK all -- anywhere anywhere DSCP match
> 0x2eMARK set 0xa
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> MARK all -- anywhere anywhere DSCP match
> 0x2eMARK set 0xa
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
>
> # ping 169.254.1.70
> PING 169.254.1.70 (169.254.1.70) 56(84) bytes of data.
> 64 bytes from 169.254.1.70 <http://169.254.1.70>: icmp_req=1 ttl=63
> time=0.192 ms
> 64 bytes from 169.254.1.70 <http://169.254.1.70>: icmp_req=2 ttl=63
> time=0.129 ms
> ^C
> --- 169.254.1.70 ping statistics ---
> 2 packets transmitted, 2 received, 0% packet loss, time 999ms
> rtt min/avg/max/mdev = 0.129/0.160/0.192/0.033 ms
>
> _End-point 2:_
> # cat /etc/ipsec.conf
> # ipsec.conf - strongSwan IPsec configuration file
> # basic configuration
> config setup
> # plutodebug=control
> # crlcheckinterval=600
> strictcrlpolicy=no
> # cachecrls=yes
> # nat_traversal=yes
> charonstart=yes
> plutostart=no
> charondebug=control
> # Add connections here.
>
> ca strongswan
> cacert=caCert.der
> auto=add
> conn %default
> type=tunnel
> left=169.254.1.70
> leftcert=VC2Cert.der
> right=169.254.0.70
> #rightid="C=CH, O=strongSwan, CN=169.254.0.70"
> keyexchange=ikev2
> auto=start
> conn tunnel1
> leftid=@VC2-tunnel1 <mailto:leftid=@VC2-tunnel1>
> rightid=@VC1-tunnel1 <mailto:rightid=@VC1-tunnel1>
> leftsubnet=169.254.1.0/24 <http://169.254.1.0/24>
> rightsubnet=169.254.0.0/24 <http://169.254.0.0/24>
> mark=10
> conn tunnel2
> leftid=@VC2-tunnel2 <mailto:leftid=@VC2-tunnel2>
> rightid=@VC1-tunnel2 <mailto:rightid=@VC1-tunnel2>
> leftsubnet=169.254.1.0/24 <http://169.254.1.0/24>
> rightsubnet=169.254.0.0/24 <http://169.254.0.0/24>
> mark=20
>
> # ipsec status
> Security Associations:
> tunnel1[3]: ESTABLISHED 44 seconds ago,
> 169.254.1.70[VC2-tunnel1]...169.254.0.70[VC1-tunnel1]
> tunnel1{3}: INSTALLED, TUNNEL, ESP SPIs: c7cc7624_i c4b5ea2d_o
> tunnel1{3}: 169.254.1.0/24 <http://169.254.1.0/24> ===
> 169.254.0.0/24 <http://169.254.0.0/24>
> tunnel2[4]: ESTABLISHED 44 seconds ago,
> 169.254.1.70[VC2-tunnel2]...169.254.0.70[VC1-tunnel2]
> tunnel2{4}: INSTALLED, TUNNEL, ESP SPIs: c7b5d498_i c9c8850e_o
> tunnel2{4}: 169.254.1.0/24 <http://169.254.1.0/24> ===
> 169.254.0.0/24 <http://169.254.0.0/24>
>
> # iptables -L -t mangle
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> MARK all -- anywhere anywhere DSCP match
> 0x2eMARK set 0xa
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> MARK all -- anywhere anywhere DSCP match
> 0x2eMARK set 0xa
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
>
> # tcpdump -i eth2
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
> 01:07:43.492130 IP 169.254.0.70 > 169.254.1.70 <http://169.254.1.70>:
> ICMP echo request, id 27015, seq 1, length 64
> 01:07:43.492162 IP 169.254.1.70 > 169.254.0.70 <http://169.254.0.70>:
> ICMP echo reply, id 27015, seq 1, length 64
> 01:07:44.491104 IP 169.254.0.70 > 169.254.1.70 <http://169.254.1.70>:
> ICMP echo request, id 27015, seq 2, length 64
> 01:07:44.491140 IP 169.254.1.70 > 169.254.0.70 <http://169.254.0.70>:
> ICMP echo reply, id 27015, seq 2, length 64
>
> Could you please let me know if there is anything more I need to do? The
> above works fine only when dscp is set to BE.
>
> Thanks and regards,
> Meera
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list