[strongSwan] Traffic with dscp marking (other than BE) not going through IPsec tunnel
Meera Sudhakar
mira.sudhakar at gmail.com
Wed Nov 16 11:31:18 CET 2011
Hi Andreas,
Ok, thanks a lot for the explanation. I had understood it the other way
round. It is now working with all DSCP values.
Thanks and regards,
Meera
On Tue, Nov 15, 2011 at 2:17 PM, Andreas Steffen <
andreas.steffen at strongswan.org> wrote:
> Hello Meera,
>
> you must differentiate between setting the DSCP value in the TOS
> field of the IP packets at the origin of the end-to-end IP route
> and marking these packets when they enter the VPN gateway and are
> ready to be tunneled via IPsec. These are two totally different
> tasks. Have a look at our demo example:
>
> http://www.strongswan.org/uml/**testresults/ikev2/net2net-psk-**
> dscp/console.log<http://www.strongswan.org/uml/testresults/ikev2/net2net-psk-dscp/console.log>
>
> DSCP set--> <-- DSCP set
> alice ------ gw moon ================ gw sun --------- bob
> MARK set--> IPsec <--Mark set
>
> 1) Setting the DSCP value in the TOS field of IP packet at the
> IP route end points alice and bob:
>
> alice# iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp-class BE
> bob# iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp-class BE
>
> 2) Setting a MARK by the VPN gateways moon and sun depending on the
> DSCP value detected in the inbound plaintext IP packets:
>
> moon# iptables -t mangle -A PREROUTING -m dscp --dscp-class BE \
> -j MARK --set-mark 10
>
> sun# iptables -t mangle -A PREROUTING -m dscp --dscp-class BE -j MARK
> --set-mark 10
>
> Regards
>
> Andreas
>
>
> On 11/15/2011 07:14 AM, Meera Sudhakar wrote:
>
>> Hello Andreas,
>> Yes, I agree with you.
>> I have first set the following rules in the mangle table on both
>> endpoints:
>> iptables -t mangle -A OUTPUT -j MARK --set-mark 10 -m dscp --dscp-class EF
>> iptables -t mangle -A PREROUTING -j MARK --set-mark 10 -m dscp
>> --dscp-class EF
>> So with these rules, all traffic passing between the endpoints will be
>> marked with 10, and will have dscp EF. Since one of my tunnels has been
>> configured with mark=10 (in ipsec.conf), that means all these packets
>> should travel through this tunnel. In other words, I am only trying to
>> set dscp=EF for my first tunnel which has mark=10. I am not using the
>> second tunnel with mark=20 now. This worked fine when only the marking
>> was given in the iptables rules, without the dscp. So my understanding
>> is that I can use any one of the created tunnels at a time. Please
>> correct me if this is wrong.
>> Thanks,
>> Meera
>> On Tue, Nov 15, 2011 at 11:07 AM, Andreas Steffen
>> <andreas.steffen at strongswan.**org <andreas.steffen at strongswan.org><mailto:
>> andreas.steffen@**strongswan.org <andreas.steffen at strongswan.org>>>
>>
>> wrote:
>>
>> Hello,
>>
>> you define only mark 10 but not mark 20. No traffic will go through
>> the tunnel without a mark (either 10 or 20) set.
>>
>> Regards
>>
>> Andreas
>>
>> On 11/14/2011 08:46 AM, Meera Sudhakar wrote:
>> > Hi,
>> >
>> > My aim is to create two IPsec tunnels using strongSwan between two
>> > end-points, each having a different dscp marking (like say EF,
>> BE, AF31
>> > etc). Right now, I see that when I set the dscp marking as BE
>> (default),
>> > the traffic goes through the designated IPsec tunnel. When I use
>> > anything else, the traffic reaches the other end-point in plain-text
>> > (there is no encryption). I tried refering to your example in
>> >
>> http://www2.strongswan.org/**uml/testresults46rc/ikev2/**
>> net2net-psk-dscp/index.html<http://www2.strongswan.org/uml/testresults46rc/ikev2/net2net-psk-dscp/index.html>
>> .
>> > I see that you are able to send encrypted traffic with dscp
>> marking EF
>> > and BE. I believe that the reason dscp-marked traffic does not flow
>> > through a tunnel could be because the tunnel does not have the
>> > 'capability' to handle that particular dscp-marking. Could you
>> please
>> > let me know if this is the case, and also if there is anything I
>> need to
>> > change (kernel version, strongSwan version, config file) to get this
>> > working. I have pasted the details of my end-points below, with
>> dscp set
>> > to EF:
>> >
>> > linux kernel version on both end-points: 2.6.35
>> > strongSwan version on both end-points: 4.5.2-1
>> >
>> > _End-point1:_
>> > # cat /etc/ipsec.conf
>> > # ipsec.conf - strongSwan IPsec configuration file
>> > # basic configuration
>> > config setup
>> > #plutostderrlog=/var/log/**syslog
>> > # plutodebug=control
>> > # crlcheckinterval=600
>> > strictcrlpolicy=no
>> > # cachecrls=yes
>> > # nat_traversal=yes
>> > charonstart=yes
>> > charondebug=control
>> > plutostart=no
>> > # Add connections here.
>> >
>> > ca strongswan
>> > cacert=caCert.der
>> > auto=add
>> > conn %default
>> > type=tunnel
>> > left=169.254.0.70
>> > leftcert=VC1Cert.der
>> > right=169.254.1.70
>> > #rightid="C=CH, O=strongSwan, CN=169.254.1.70"
>> > keyexchange=ikev2
>> > auto=start
>> > conn tunnel1
>> > leftid=@VC1-tunnel1 <mailto:leftid
>> <mailto:leftid>=@VC1-tunnel1>
>> > rightid=@VC2-tunnel1 <mailto:rightid
>> <mailto:rightid>=@VC2-tunnel1>
>> > leftsubnet=169.254.0.0/24 <http://169.254.0.0/24>
>>
>> <http://169.254.0.0/24>
>> > rightsubnet=169.254.1.0/24 <http://169.254.1.0/24>
>> <http://169.254.1.0/24>
>> > mark=10
>> > conn tunnel2
>> > leftid=@VC1-tunnel2 <mailto:leftid
>> <mailto:leftid>=@VC1-tunnel2>
>> > rightid=@VC2-tunnel2 <mailto:rightid
>> <mailto:rightid>=@VC2-tunnel2>
>> > leftsubnet=169.254.0.0/24 <http://169.254.0.0/24>
>>
>> <http://169.254.0.0/24>
>> > rightsubnet=169.254.1.0/24 <http://169.254.1.0/24>
>> <http://169.254.1.0/24>
>> > mark=20
>> >
>> > # ipsec status
>> > Security Associations:
>> > tunnel1[1]: ESTABLISHED 37 seconds ago,
>> > 169.254.0.70[VC1-tunnel1]...**169.254.1.70[VC2-tunnel1]
>> > tunnel1{3}: INSTALLED, TUNNEL, ESP SPIs: c4b5ea2d_i c7cc7624_o
>> > tunnel1{3}: 169.254.0.0/24 <http://169.254.0.0/24>
>> <http://169.254.0.0/24> ===
>> > 169.254.1.0/24 <http://169.254.1.0/24> <http://169.254.1.0/24>
>>
>> > tunnel2[2]: ESTABLISHED 37 seconds ago,
>> > 169.254.0.70[VC1-tunnel2]...**169.254.1.70[VC2-tunnel2]
>> > tunnel2{4}: INSTALLED, TUNNEL, ESP SPIs: c9c8850e_i c7b5d498_o
>> > tunnel2{4}: 169.254.0.0/24 <http://169.254.0.0/24>
>> <http://169.254.0.0/24> ===
>> > 169.254.1.0/24 <http://169.254.1.0/24> <http://169.254.1.0/24>
>>
>> >
>> > # iptables -L -t mangle
>> > Chain PREROUTING (policy ACCEPT)
>> > target prot opt source destination
>> > MARK all -- anywhere anywhere DSCP
>> match
>> > 0x2eMARK set 0xa
>> > Chain INPUT (policy ACCEPT)
>> > target prot opt source destination
>> > Chain FORWARD (policy ACCEPT)
>> > target prot opt source destination
>> > Chain OUTPUT (policy ACCEPT)
>> > target prot opt source destination
>> > MARK all -- anywhere anywhere DSCP
>> match
>> > 0x2eMARK set 0xa
>> > Chain POSTROUTING (policy ACCEPT)
>> > target prot opt source destination
>> >
>> > # ping 169.254.1.70
>> > PING 169.254.1.70 (169.254.1.70) 56(84) bytes of data.
>> > 64 bytes from 169.254.1.70 <http://169.254.1.70
>> <http://169.254.1.70/>>: icmp_req=1 ttl=63
>>
>> > time=0.192 ms
>> > 64 bytes from 169.254.1.70 <http://169.254.1.70
>> <http://169.254.1.70/>>: icmp_req=2 ttl=63
>>
>> > time=0.129 ms
>> > ^C
>> > --- 169.254.1.70 ping statistics ---
>> > 2 packets transmitted, 2 received, 0% packet loss, time 999ms
>> > rtt min/avg/max/mdev = 0.129/0.160/0.192/0.033 ms
>> >
>> > _End-point 2:_
>> > # cat /etc/ipsec.conf
>> > # ipsec.conf - strongSwan IPsec configuration file
>> > # basic configuration
>> > config setup
>> > # plutodebug=control
>> > # crlcheckinterval=600
>> > strictcrlpolicy=no
>> > # cachecrls=yes
>> > # nat_traversal=yes
>> > charonstart=yes
>> > plutostart=no
>> > charondebug=control
>> > # Add connections here.
>> >
>> > ca strongswan
>> > cacert=caCert.der
>> > auto=add
>> > conn %default
>> > type=tunnel
>> > left=169.254.1.70
>> > leftcert=VC2Cert.der
>> > right=169.254.0.70
>> > #rightid="C=CH, O=strongSwan, CN=169.254.0.70"
>> > keyexchange=ikev2
>> > auto=start
>> > conn tunnel1
>> > leftid=@VC2-tunnel1 <mailto:leftid
>> <mailto:leftid>=@VC2-tunnel1>
>> > rightid=@VC1-tunnel1 <mailto:rightid
>> <mailto:rightid>=@VC1-tunnel1>
>> > leftsubnet=169.254.1.0/24 <http://169.254.1.0/24>
>>
>> <http://169.254.1.0/24>
>> > rightsubnet=169.254.0.0/24 <http://169.254.0.0/24>
>> <http://169.254.0.0/24>
>> > mark=10
>> > conn tunnel2
>> > leftid=@VC2-tunnel2 <mailto:leftid
>> <mailto:leftid>=@VC2-tunnel2>
>> > rightid=@VC1-tunnel2 <mailto:rightid
>> <mailto:rightid>=@VC1-tunnel2>
>> > leftsubnet=169.254.1.0/24 <http://169.254.1.0/24>
>>
>> <http://169.254.1.0/24>
>> > rightsubnet=169.254.0.0/24 <http://169.254.0.0/24>
>> <http://169.254.0.0/24>
>> > mark=20
>> >
>> > # ipsec status
>> > Security Associations:
>> > tunnel1[3]: ESTABLISHED 44 seconds ago,
>> > 169.254.1.70[VC2-tunnel1]...**169.254.0.70[VC1-tunnel1]
>> > tunnel1{3}: INSTALLED, TUNNEL, ESP SPIs: c7cc7624_i c4b5ea2d_o
>> > tunnel1{3}: 169.254.1.0/24 <http://169.254.1.0/24>
>> <http://169.254.1.0/24> ===
>> > 169.254.0.0/24 <http://169.254.0.0/24> <http://169.254.0.0/24>
>>
>> > tunnel2[4]: ESTABLISHED 44 seconds ago,
>> > 169.254.1.70[VC2-tunnel2]...**169.254.0.70[VC1-tunnel2]
>> > tunnel2{4}: INSTALLED, TUNNEL, ESP SPIs: c7b5d498_i c9c8850e_o
>> > tunnel2{4}: 169.254.1.0/24 <http://169.254.1.0/24>
>> <http://169.254.1.0/24> ===
>> > 169.254.0.0/24 <http://169.254.0.0/24> <http://169.254.0.0/24>
>>
>> >
>> > # iptables -L -t mangle
>> > Chain PREROUTING (policy ACCEPT)
>> > target prot opt source destination
>> > MARK all -- anywhere anywhere DSCP
>> match
>> > 0x2eMARK set 0xa
>> > Chain INPUT (policy ACCEPT)
>> > target prot opt source destination
>> > Chain FORWARD (policy ACCEPT)
>> > target prot opt source destination
>> > Chain OUTPUT (policy ACCEPT)
>> > target prot opt source destination
>> > MARK all -- anywhere anywhere DSCP
>> match
>> > 0x2eMARK set 0xa
>> > Chain POSTROUTING (policy ACCEPT)
>> > target prot opt source destination
>> >
>> > # tcpdump -i eth2
>> > tcpdump: verbose output suppressed, use -v or -vv for full
>> protocol decode
>> > listening on eth2, link-type EN10MB (Ethernet), capture size
>> 65535 bytes
>> > 01:07:43.492130 IP 169.254.0.70 > 169.254.1.70
>> <http://169.254.1.70 <http://169.254.1.70/>>:
>>
>> > ICMP echo request, id 27015, seq 1, length 64
>> > 01:07:43.492162 IP 169.254.1.70 > 169.254.0.70
>> <http://169.254.0.70 <http://169.254.0.70/>>:
>>
>> > ICMP echo reply, id 27015, seq 1, length 64
>> > 01:07:44.491104 IP 169.254.0.70 > 169.254.1.70
>> <http://169.254.1.70 <http://169.254.1.70/>>:
>>
>> > ICMP echo request, id 27015, seq 2, length 64
>> > 01:07:44.491140 IP 169.254.1.70 > 169.254.0.70
>> <http://169.254.0.70 <http://169.254.0.70/>>:
>>
>> > ICMP echo reply, id 27015, seq 2, length 64
>> >
>> > Could you please let me know if there is anything more I need to
>> do? The
>> > above works fine only when dscp is set to BE.
>> >
>> > Thanks and regards,
>> > Meera
>>
>
> ==============================**==============================**==========
> Andreas Steffen andreas.steffen at strongswan.org
> strongSwan - the Linux VPN Solution! www.strongswan.org
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil
> CH-8640 Rapperswil (Switzerland)
> ==============================**=============================[**ITA-HSR]==
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111116/83152426/attachment.html>
More information about the Users
mailing list