[strongSwan] Problems with connections using mark
Steffen Heil (Mailinglisten)
lists at steffen-heil.de
Sun May 13 21:05:29 CEST 2012
I have the following setup:
10.1.1.0/24 ---(eth1) gatewayA (eth0) --- (eth0) gateway (eth1) ---
The ipsec.conf on gatewayA is the following:
# /etc/ipsec.conf - strongSwan IPsec configuration file
That works well: I can ping from 10.1.1.2 to 10.2.1.2 and the packets
between the gateways are encrypted.
However that is only a simple setup, to implement my real scenario, I need
to use 0.0.0.0/0 as leftsubnet/rightsubnet and use marks.
So I started keeping the networks unchanged and only added mark=1 to both
sides for conn net-net. (Planing to replace the subnets with 0.0.0.0/0
Then I could not ping any more, which was expected. So I added a firewall
rule to gatewayA:
iptables -t mangle -A PREROUTING -s 10.1.1.0/24 -d 10.2.1.0/24 -j MARK
Now, the ping gets encrypted and sent to gatewayB. However gatewayB does not
seem to process it.
At least it is not forwarded to 10.2.1.2 any more.
Am I missing something?
(Note, it worked before adding "mark=1", so it must have something to do
I am grateful for any hint.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 6566 bytes
Desc: not available
More information about the Users