[strongSwan] Traffic with dscp marking (other than BE) not going through IPsec tunnel
Andreas Steffen
andreas.steffen at strongswan.org
Tue Nov 15 09:47:36 CET 2011
Hello Meera,
you must differentiate between setting the DSCP value in the TOS
field of the IP packets at the origin of the end-to-end IP route
and marking these packets when they enter the VPN gateway and are
ready to be tunneled via IPsec. These are two totally different
tasks. Have a look at our demo example:
http://www.strongswan.org/uml/testresults/ikev2/net2net-psk-dscp/console.log
DSCP set--> <-- DSCP set
alice ------ gw moon ================ gw sun --------- bob
MARK set--> IPsec <--Mark set
1) Setting the DSCP value in the TOS field of IP packet at the
IP route end points alice and bob:
alice# iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp-class BE
bob# iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp-class BE
2) Setting a MARK by the VPN gateways moon and sun depending on the
DSCP value detected in the inbound plaintext IP packets:
moon# iptables -t mangle -A PREROUTING -m dscp --dscp-class BE \
-j MARK --set-mark 10
sun# iptables -t mangle -A PREROUTING -m dscp --dscp-class BE -j MARK
--set-mark 10
Regards
Andreas
On 11/15/2011 07:14 AM, Meera Sudhakar wrote:
> Hello Andreas,
> Yes, I agree with you.
> I have first set the following rules in the mangle table on both endpoints:
> iptables -t mangle -A OUTPUT -j MARK --set-mark 10 -m dscp --dscp-class EF
> iptables -t mangle -A PREROUTING -j MARK --set-mark 10 -m dscp
> --dscp-class EF
> So with these rules, all traffic passing between the endpoints will be
> marked with 10, and will have dscp EF. Since one of my tunnels has been
> configured with mark=10 (in ipsec.conf), that means all these packets
> should travel through this tunnel. In other words, I am only trying to
> set dscp=EF for my first tunnel which has mark=10. I am not using the
> second tunnel with mark=20 now. This worked fine when only the marking
> was given in the iptables rules, without the dscp. So my understanding
> is that I can use any one of the created tunnels at a time. Please
> correct me if this is wrong.
> Thanks,
> Meera
> On Tue, Nov 15, 2011 at 11:07 AM, Andreas Steffen
> <andreas.steffen at strongswan.org <mailto:andreas.steffen at strongswan.org>>
> wrote:
>
> Hello,
>
> you define only mark 10 but not mark 20. No traffic will go through
> the tunnel without a mark (either 10 or 20) set.
>
> Regards
>
> Andreas
>
> On 11/14/2011 08:46 AM, Meera Sudhakar wrote:
> > Hi,
> >
> > My aim is to create two IPsec tunnels using strongSwan between two
> > end-points, each having a different dscp marking (like say EF,
> BE, AF31
> > etc). Right now, I see that when I set the dscp marking as BE
> (default),
> > the traffic goes through the designated IPsec tunnel. When I use
> > anything else, the traffic reaches the other end-point in plain-text
> > (there is no encryption). I tried refering to your example in
> >
> http://www2.strongswan.org/uml/testresults46rc/ikev2/net2net-psk-dscp/index.html.
> > I see that you are able to send encrypted traffic with dscp
> marking EF
> > and BE. I believe that the reason dscp-marked traffic does not flow
> > through a tunnel could be because the tunnel does not have the
> > 'capability' to handle that particular dscp-marking. Could you please
> > let me know if this is the case, and also if there is anything I
> need to
> > change (kernel version, strongSwan version, config file) to get this
> > working. I have pasted the details of my end-points below, with
> dscp set
> > to EF:
> >
> > linux kernel version on both end-points: 2.6.35
> > strongSwan version on both end-points: 4.5.2-1
> >
> > _End-point1:_
> > # cat /etc/ipsec.conf
> > # ipsec.conf - strongSwan IPsec configuration file
> > # basic configuration
> > config setup
> > #plutostderrlog=/var/log/syslog
> > # plutodebug=control
> > # crlcheckinterval=600
> > strictcrlpolicy=no
> > # cachecrls=yes
> > # nat_traversal=yes
> > charonstart=yes
> > charondebug=control
> > plutostart=no
> > # Add connections here.
> >
> > ca strongswan
> > cacert=caCert.der
> > auto=add
> > conn %default
> > type=tunnel
> > left=169.254.0.70
> > leftcert=VC1Cert.der
> > right=169.254.1.70
> > #rightid="C=CH, O=strongSwan, CN=169.254.1.70"
> > keyexchange=ikev2
> > auto=start
> > conn tunnel1
> > leftid=@VC1-tunnel1 <mailto:leftid
> <mailto:leftid>=@VC1-tunnel1>
> > rightid=@VC2-tunnel1 <mailto:rightid
> <mailto:rightid>=@VC2-tunnel1>
> > leftsubnet=169.254.0.0/24 <http://169.254.0.0/24>
> <http://169.254.0.0/24>
> > rightsubnet=169.254.1.0/24 <http://169.254.1.0/24>
> <http://169.254.1.0/24>
> > mark=10
> > conn tunnel2
> > leftid=@VC1-tunnel2 <mailto:leftid
> <mailto:leftid>=@VC1-tunnel2>
> > rightid=@VC2-tunnel2 <mailto:rightid
> <mailto:rightid>=@VC2-tunnel2>
> > leftsubnet=169.254.0.0/24 <http://169.254.0.0/24>
> <http://169.254.0.0/24>
> > rightsubnet=169.254.1.0/24 <http://169.254.1.0/24>
> <http://169.254.1.0/24>
> > mark=20
> >
> > # ipsec status
> > Security Associations:
> > tunnel1[1]: ESTABLISHED 37 seconds ago,
> > 169.254.0.70[VC1-tunnel1]...169.254.1.70[VC2-tunnel1]
> > tunnel1{3}: INSTALLED, TUNNEL, ESP SPIs: c4b5ea2d_i c7cc7624_o
> > tunnel1{3}: 169.254.0.0/24 <http://169.254.0.0/24>
> <http://169.254.0.0/24> ===
> > 169.254.1.0/24 <http://169.254.1.0/24> <http://169.254.1.0/24>
> > tunnel2[2]: ESTABLISHED 37 seconds ago,
> > 169.254.0.70[VC1-tunnel2]...169.254.1.70[VC2-tunnel2]
> > tunnel2{4}: INSTALLED, TUNNEL, ESP SPIs: c9c8850e_i c7b5d498_o
> > tunnel2{4}: 169.254.0.0/24 <http://169.254.0.0/24>
> <http://169.254.0.0/24> ===
> > 169.254.1.0/24 <http://169.254.1.0/24> <http://169.254.1.0/24>
> >
> > # iptables -L -t mangle
> > Chain PREROUTING (policy ACCEPT)
> > target prot opt source destination
> > MARK all -- anywhere anywhere DSCP
> match
> > 0x2eMARK set 0xa
> > Chain INPUT (policy ACCEPT)
> > target prot opt source destination
> > Chain FORWARD (policy ACCEPT)
> > target prot opt source destination
> > Chain OUTPUT (policy ACCEPT)
> > target prot opt source destination
> > MARK all -- anywhere anywhere DSCP
> match
> > 0x2eMARK set 0xa
> > Chain POSTROUTING (policy ACCEPT)
> > target prot opt source destination
> >
> > # ping 169.254.1.70
> > PING 169.254.1.70 (169.254.1.70) 56(84) bytes of data.
> > 64 bytes from 169.254.1.70 <http://169.254.1.70
> <http://169.254.1.70/>>: icmp_req=1 ttl=63
> > time=0.192 ms
> > 64 bytes from 169.254.1.70 <http://169.254.1.70
> <http://169.254.1.70/>>: icmp_req=2 ttl=63
> > time=0.129 ms
> > ^C
> > --- 169.254.1.70 ping statistics ---
> > 2 packets transmitted, 2 received, 0% packet loss, time 999ms
> > rtt min/avg/max/mdev = 0.129/0.160/0.192/0.033 ms
> >
> > _End-point 2:_
> > # cat /etc/ipsec.conf
> > # ipsec.conf - strongSwan IPsec configuration file
> > # basic configuration
> > config setup
> > # plutodebug=control
> > # crlcheckinterval=600
> > strictcrlpolicy=no
> > # cachecrls=yes
> > # nat_traversal=yes
> > charonstart=yes
> > plutostart=no
> > charondebug=control
> > # Add connections here.
> >
> > ca strongswan
> > cacert=caCert.der
> > auto=add
> > conn %default
> > type=tunnel
> > left=169.254.1.70
> > leftcert=VC2Cert.der
> > right=169.254.0.70
> > #rightid="C=CH, O=strongSwan, CN=169.254.0.70"
> > keyexchange=ikev2
> > auto=start
> > conn tunnel1
> > leftid=@VC2-tunnel1 <mailto:leftid
> <mailto:leftid>=@VC2-tunnel1>
> > rightid=@VC1-tunnel1 <mailto:rightid
> <mailto:rightid>=@VC1-tunnel1>
> > leftsubnet=169.254.1.0/24 <http://169.254.1.0/24>
> <http://169.254.1.0/24>
> > rightsubnet=169.254.0.0/24 <http://169.254.0.0/24>
> <http://169.254.0.0/24>
> > mark=10
> > conn tunnel2
> > leftid=@VC2-tunnel2 <mailto:leftid
> <mailto:leftid>=@VC2-tunnel2>
> > rightid=@VC1-tunnel2 <mailto:rightid
> <mailto:rightid>=@VC1-tunnel2>
> > leftsubnet=169.254.1.0/24 <http://169.254.1.0/24>
> <http://169.254.1.0/24>
> > rightsubnet=169.254.0.0/24 <http://169.254.0.0/24>
> <http://169.254.0.0/24>
> > mark=20
> >
> > # ipsec status
> > Security Associations:
> > tunnel1[3]: ESTABLISHED 44 seconds ago,
> > 169.254.1.70[VC2-tunnel1]...169.254.0.70[VC1-tunnel1]
> > tunnel1{3}: INSTALLED, TUNNEL, ESP SPIs: c7cc7624_i c4b5ea2d_o
> > tunnel1{3}: 169.254.1.0/24 <http://169.254.1.0/24>
> <http://169.254.1.0/24> ===
> > 169.254.0.0/24 <http://169.254.0.0/24> <http://169.254.0.0/24>
> > tunnel2[4]: ESTABLISHED 44 seconds ago,
> > 169.254.1.70[VC2-tunnel2]...169.254.0.70[VC1-tunnel2]
> > tunnel2{4}: INSTALLED, TUNNEL, ESP SPIs: c7b5d498_i c9c8850e_o
> > tunnel2{4}: 169.254.1.0/24 <http://169.254.1.0/24>
> <http://169.254.1.0/24> ===
> > 169.254.0.0/24 <http://169.254.0.0/24> <http://169.254.0.0/24>
> >
> > # iptables -L -t mangle
> > Chain PREROUTING (policy ACCEPT)
> > target prot opt source destination
> > MARK all -- anywhere anywhere DSCP
> match
> > 0x2eMARK set 0xa
> > Chain INPUT (policy ACCEPT)
> > target prot opt source destination
> > Chain FORWARD (policy ACCEPT)
> > target prot opt source destination
> > Chain OUTPUT (policy ACCEPT)
> > target prot opt source destination
> > MARK all -- anywhere anywhere DSCP
> match
> > 0x2eMARK set 0xa
> > Chain POSTROUTING (policy ACCEPT)
> > target prot opt source destination
> >
> > # tcpdump -i eth2
> > tcpdump: verbose output suppressed, use -v or -vv for full
> protocol decode
> > listening on eth2, link-type EN10MB (Ethernet), capture size
> 65535 bytes
> > 01:07:43.492130 IP 169.254.0.70 > 169.254.1.70
> <http://169.254.1.70 <http://169.254.1.70/>>:
> > ICMP echo request, id 27015, seq 1, length 64
> > 01:07:43.492162 IP 169.254.1.70 > 169.254.0.70
> <http://169.254.0.70 <http://169.254.0.70/>>:
> > ICMP echo reply, id 27015, seq 1, length 64
> > 01:07:44.491104 IP 169.254.0.70 > 169.254.1.70
> <http://169.254.1.70 <http://169.254.1.70/>>:
> > ICMP echo request, id 27015, seq 2, length 64
> > 01:07:44.491140 IP 169.254.1.70 > 169.254.0.70
> <http://169.254.0.70 <http://169.254.0.70/>>:
> > ICMP echo reply, id 27015, seq 2, length 64
> >
> > Could you please let me know if there is anything more I need to
> do? The
> > above works fine only when dscp is set to BE.
> >
> > Thanks and regards,
> > Meera
======================================================================
Andreas Steffen andreas.steffen at strongswan.org
strongSwan - the Linux VPN Solution! www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)
===========================================================[ITA-HSR]==
More information about the Users
mailing list