[strongSwan] Problems with connections using mark
Steffen Heil (Mailinglisten)
lists at steffen-heil.de
Sun May 13 21:05:29 CEST 2012
Hi everybody.
I have the following setup:
10.1.1.0/24 ---(eth1) gatewayA (eth0) --- (eth0) gateway (eth1) ---
10.2.1.0/24
The ipsec.conf on gatewayA is the following:
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
mobike=no
conn net-net
left=10.5.0.1
leftsubnet=10.1.1.0/24
leftid=@a
leftfirewall=yes
right=10.5.0.2
rightsubnet=10.2.1.0/24
rightid=@b
auto=add
That works well: I can ping from 10.1.1.2 to 10.2.1.2 and the packets
between the gateways are encrypted.
However that is only a simple setup, to implement my real scenario, I need
to use 0.0.0.0/0 as leftsubnet/rightsubnet and use marks.
So I started keeping the networks unchanged and only added mark=1 to both
sides for conn net-net. (Planing to replace the subnets with 0.0.0.0/0
later.)
Then I could not ping any more, which was expected. So I added a firewall
rule to gatewayA:
iptables -t mangle -A PREROUTING -s 10.1.1.0/24 -d 10.2.1.0/24 -j MARK
--set-mark 1
Now, the ping gets encrypted and sent to gatewayB. However gatewayB does not
seem to process it.
At least it is not forwarded to 10.2.1.2 any more.
Am I missing something?
(Note, it worked before adding "mark=1", so it must have something to do
with that...)
I am grateful for any hint.
Best regards,
Steffen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6566 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120513/cf3fd7d8/attachment.bin>
More information about the Users
mailing list