[strongSwan] Traffic with dscp marking (other than BE) not going through IPsec tunnel

Meera Sudhakar mira.sudhakar at gmail.com
Tue Nov 15 07:14:04 CET 2011 

Hello Andreas,

Yes, I agree with you.

I have first set the following rules in the mangle table on both endpoints:
iptables -t mangle -A OUTPUT -j MARK --set-mark 10 -m dscp --dscp-class EF
iptables -t mangle -A PREROUTING -j MARK --set-mark 10 -m dscp --dscp-class
EF

So with these rules, all traffic passing between the endpoints will be
marked with 10, and will have dscp EF. Since one of my tunnels has been
configured with mark=10 (in ipsec.conf), that means all these packets
should travel through this tunnel. In other words, I am only trying to set
dscp=EF for my first tunnel which has mark=10. I am not using the second
tunnel with mark=20 now. This worked fine when only the marking was given
in the iptables rules, without the dscp. So my understanding is that I can
use any one of the created tunnels at a time. Please correct me if this is
wrong.

Thanks,
Meera


On Tue, Nov 15, 2011 at 11:07 AM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:

> Hello,
>
> you define only mark 10 but not mark 20. No traffic will go through
> the tunnel without a mark (either 10 or 20) set.
>
> Regards
>
> Andreas
>
> On 11/14/2011 08:46 AM, Meera Sudhakar wrote:
> > Hi,
> >
> > My aim is to create two IPsec tunnels using strongSwan between two
> > end-points, each having a different dscp marking (like say EF, BE, AF31
> > etc). Right now, I see that when I set the dscp marking as BE (default),
> > the traffic goes through the designated IPsec tunnel. When I use
> > anything else, the traffic reaches the other end-point in plain-text
> > (there is no encryption). I tried refering to your example in
> >
> http://www2.strongswan.org/uml/testresults46rc/ikev2/net2net-psk-dscp/index.html
> .
> > I see that you are able to send encrypted traffic with dscp marking EF
> > and BE. I believe that the reason dscp-marked traffic does not flow
> > through a tunnel could be because the tunnel does not have the
> > 'capability' to handle that particular dscp-marking. Could you please
> > let me know if this is the case, and also if there is anything I need to
> > change (kernel version, strongSwan version, config file) to get this
> > working. I have pasted the details of my end-points below, with dscp set
> > to EF:
> >
> > linux kernel version on both end-points: 2.6.35
> > strongSwan version on both end-points: 4.5.2-1
> >
> > _End-point1:_
>  > # cat /etc/ipsec.conf
> > # ipsec.conf - strongSwan IPsec configuration file
> > # basic configuration
> > config setup
> >         #plutostderrlog=/var/log/syslog
> >         # plutodebug=control
> >         # crlcheckinterval=600
> >         strictcrlpolicy=no
> >         # cachecrls=yes
> >         # nat_traversal=yes
> >         charonstart=yes
> >         charondebug=control
> >         plutostart=no
> > # Add connections here.
> >
> > ca strongswan
> >         cacert=caCert.der
> >         auto=add
> > conn %default
> >         type=tunnel
> >         left=169.254.0.70
> >         leftcert=VC1Cert.der
> >         right=169.254.1.70
> >         #rightid="C=CH, O=strongSwan, CN=169.254.1.70"
> >         keyexchange=ikev2
> >         auto=start
> > conn tunnel1
> >         leftid=@VC1-tunnel1 <mailto:leftid=@VC1-tunnel1>
> >         rightid=@VC2-tunnel1 <mailto:rightid=@VC2-tunnel1>
> >         leftsubnet=169.254.0.0/24 <http://169.254.0.0/24>
> >         rightsubnet=169.254.1.0/24 <http://169.254.1.0/24>
> >         mark=10
> > conn tunnel2
> >         leftid=@VC1-tunnel2 <mailto:leftid=@VC1-tunnel2>
> >         rightid=@VC2-tunnel2 <mailto:rightid=@VC2-tunnel2>
> >         leftsubnet=169.254.0.0/24 <http://169.254.0.0/24>
> >         rightsubnet=169.254.1.0/24 <http://169.254.1.0/24>
> >         mark=20
> >
> > # ipsec status
> > Security Associations:
> >      tunnel1[1]: ESTABLISHED 37 seconds ago,
> > 169.254.0.70[VC1-tunnel1]...169.254.1.70[VC2-tunnel1]
> >      tunnel1{3}:  INSTALLED, TUNNEL, ESP SPIs: c4b5ea2d_i c7cc7624_o
> >      tunnel1{3}:   169.254.0.0/24 <http://169.254.0.0/24> ===
> > 169.254.1.0/24 <http://169.254.1.0/24>
> >      tunnel2[2]: ESTABLISHED 37 seconds ago,
> > 169.254.0.70[VC1-tunnel2]...169.254.1.70[VC2-tunnel2]
> >      tunnel2{4}:  INSTALLED, TUNNEL, ESP SPIs: c9c8850e_i c7b5d498_o
> >      tunnel2{4}:   169.254.0.0/24 <http://169.254.0.0/24> ===
> > 169.254.1.0/24 <http://169.254.1.0/24>
> >
> > # iptables -L -t mangle
> > Chain PREROUTING (policy ACCEPT)
> > target     prot opt source               destination
> > MARK       all  --  anywhere             anywhere            DSCP match
> > 0x2eMARK set 0xa
> > Chain INPUT (policy ACCEPT)
> > target     prot opt source               destination
> > Chain FORWARD (policy ACCEPT)
> > target     prot opt source               destination
> > Chain OUTPUT (policy ACCEPT)
> > target     prot opt source               destination
> > MARK       all  --  anywhere             anywhere            DSCP match
> > 0x2eMARK set 0xa
> > Chain POSTROUTING (policy ACCEPT)
> > target     prot opt source               destination
> >
> > # ping 169.254.1.70
> > PING 169.254.1.70 (169.254.1.70) 56(84) bytes of data.
> > 64 bytes from 169.254.1.70 <http://169.254.1.70>: icmp_req=1 ttl=63
> > time=0.192 ms
> > 64 bytes from 169.254.1.70 <http://169.254.1.70>: icmp_req=2 ttl=63
> > time=0.129 ms
> > ^C
> > --- 169.254.1.70 ping statistics ---
> > 2 packets transmitted, 2 received, 0% packet loss, time 999ms
> > rtt min/avg/max/mdev = 0.129/0.160/0.192/0.033 ms
> >
> > _End-point 2:_
>  > # cat /etc/ipsec.conf
> > # ipsec.conf - strongSwan IPsec configuration file
> > # basic configuration
> > config setup
> >         # plutodebug=control
> >         # crlcheckinterval=600
> >          strictcrlpolicy=no
> >         # cachecrls=yes
> >         # nat_traversal=yes
> >         charonstart=yes
> >         plutostart=no
> >         charondebug=control
> > # Add connections here.
> >
> > ca strongswan
> >         cacert=caCert.der
> >         auto=add
> > conn %default
> >         type=tunnel
> >         left=169.254.1.70
> >         leftcert=VC2Cert.der
> >         right=169.254.0.70
> >         #rightid="C=CH, O=strongSwan, CN=169.254.0.70"
> >         keyexchange=ikev2
> >         auto=start
> > conn tunnel1
> >         leftid=@VC2-tunnel1 <mailto:leftid=@VC2-tunnel1>
> >         rightid=@VC1-tunnel1 <mailto:rightid=@VC1-tunnel1>
> >         leftsubnet=169.254.1.0/24 <http://169.254.1.0/24>
> >         rightsubnet=169.254.0.0/24 <http://169.254.0.0/24>
> >         mark=10
> > conn tunnel2
> >         leftid=@VC2-tunnel2 <mailto:leftid=@VC2-tunnel2>
> >         rightid=@VC1-tunnel2 <mailto:rightid=@VC1-tunnel2>
> >         leftsubnet=169.254.1.0/24 <http://169.254.1.0/24>
> >         rightsubnet=169.254.0.0/24 <http://169.254.0.0/24>
> >         mark=20
> >
> > # ipsec status
> > Security Associations:
> >      tunnel1[3]: ESTABLISHED 44 seconds ago,
> > 169.254.1.70[VC2-tunnel1]...169.254.0.70[VC1-tunnel1]
> >      tunnel1{3}:  INSTALLED, TUNNEL, ESP SPIs: c7cc7624_i c4b5ea2d_o
> >      tunnel1{3}:   169.254.1.0/24 <http://169.254.1.0/24> ===
> > 169.254.0.0/24 <http://169.254.0.0/24>
> >      tunnel2[4]: ESTABLISHED 44 seconds ago,
> > 169.254.1.70[VC2-tunnel2]...169.254.0.70[VC1-tunnel2]
> >      tunnel2{4}:  INSTALLED, TUNNEL, ESP SPIs: c7b5d498_i c9c8850e_o
> >      tunnel2{4}:   169.254.1.0/24 <http://169.254.1.0/24> ===
> > 169.254.0.0/24 <http://169.254.0.0/24>
> >
> > # iptables -L -t mangle
> > Chain PREROUTING (policy ACCEPT)
> > target     prot opt source               destination
> > MARK       all  --  anywhere             anywhere            DSCP match
> > 0x2eMARK set 0xa
> > Chain INPUT (policy ACCEPT)
> > target     prot opt source               destination
> > Chain FORWARD (policy ACCEPT)
> > target     prot opt source               destination
> > Chain OUTPUT (policy ACCEPT)
> > target     prot opt source               destination
> > MARK       all  --  anywhere             anywhere            DSCP match
> > 0x2eMARK set 0xa
> > Chain POSTROUTING (policy ACCEPT)
> > target     prot opt source               destination
> >
> > # tcpdump -i eth2
> > tcpdump: verbose output suppressed, use -v or -vv for full protocol
> decode
> > listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes
> > 01:07:43.492130 IP 169.254.0.70 > 169.254.1.70 <http://169.254.1.70>:
> > ICMP echo request, id 27015, seq 1, length 64
> > 01:07:43.492162 IP 169.254.1.70 > 169.254.0.70 <http://169.254.0.70>:
> > ICMP echo reply, id 27015, seq 1, length 64
> > 01:07:44.491104 IP 169.254.0.70 > 169.254.1.70 <http://169.254.1.70>:
> > ICMP echo request, id 27015, seq 2, length 64
> > 01:07:44.491140 IP 169.254.1.70 > 169.254.0.70 <http://169.254.0.70>:
> > ICMP echo reply, id 27015, seq 2, length 64
> >
> > Could you please let me know if there is anything more I need to do? The
> > above works fine only when dscp is set to BE.
> >
> > Thanks and regards,
> > Meera
>
> ======================================================================
> Andreas Steffen                         andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution!                www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ===========================================================[ITA-HSR]==
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111115/7bb24391/attachment.html>

More information about the Users mailing list