[strongSwan] Problems with connections using mark

Steffen Heil (Mailinglisten) lists at steffen-heil.de
Sun May 13 22:45:08 CEST 2012 

Hi

I need to add something:
I got one step further: If I DO NOT ADD "mark=1" but "mark_out=1" and I add
that firewall rule on both sides, it works.
(I am not sure, this was the right step; at this point I am on trial and
error...)

But as soon as I widen the networks (first step to 10.0.0.0/8, later to
0.0.0.0/0), things break. I am not sure why, but I thinks the reason are the
3 SA generated by strongswan:


src 10.0.0.0/8 dst 10.0.0.0/8 uid 0
        dir fwd action allow index 330 priority 1987 share any flag
(0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2012-05-13 20:24:18 use -
        tmpl src 10.5.0.2 dst 10.5.0.1
                proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.0.0.0/8 dst 10.0.0.0/8 uid 0
        dir in action allow index 320 priority 1987 share any flag
(0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2012-05-13 20:24:18 use -
        tmpl src 10.5.0.2 dst 10.5.0.1
                proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.0.0.0/8 dst 10.0.0.0/8 uid 0
        dir out action allow index 313 priority 1987 share any flag
(0x00000000)
        lifetime config:
          limit: soft (INF)(bytes), hard (INF)(bytes)
          limit: soft (INF)(packets), hard (INF)(packets)
          expire add: soft 0(sec), hard 0(sec)
          expire use: soft 0(sec), hard 0(sec)
        lifetime current:
          0(bytes), 0(packets)
          add 2012-05-13 20:24:18 use -
        mark 1/0xffffffff
        tmpl src 10.5.0.1 dst 10.5.0.2
                proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
                level required share any
                enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff

I understand the last one, it is the one used when sending and it has the
mark.
I also think I understand the second one: I think it is used for incoming
packets.
However I don't know what the first one is for...

On the other hand, I could delete the first using

ip xfrm policy delete src 10.0.0.0/8 dst 10.0.0.0/8 dir fwd

That didn't change anything, still no pings.. Not even encrypted from
gatewayA to gatewayB.
Any hints?


Best regards again,
  Steffen



> -----Ursprüngliche Nachricht-----
> Von: users-bounces+lists=steffen-heil.de at lists.strongswan.org
> [mailto:users-bounces+lists=steffen-heil.de at lists.strongswan.org] Im
> Auftrag von Steffen Heil (Mailinglisten)
> Gesendet: Sonntag, 13. Mai 2012 21:05
> An: users at lists.strongswan.org
> Betreff: [strongSwan] Problems with connections using mark
> 
> Hi everybody.
> 
> 
> I have the following setup:
> 
> 10.1.1.0/24 ---(eth1) gatewayA (eth0) --- (eth0) gateway (eth1) ---
> 10.2.1.0/24
> 
> The ipsec.conf on gatewayA is the following:
> 
> # /etc/ipsec.conf - strongSwan IPsec configuration file
> 
> config setup
>         plutostart=no
> 
> conn %default
>         ikelifetime=60m
>         keylife=20m
>         rekeymargin=3m
>         keyingtries=1
>         authby=secret
>         keyexchange=ikev2
>         mobike=no
> 
> conn net-net
>         left=10.5.0.1
>         leftsubnet=10.1.1.0/24
>         leftid=@a
>         leftfirewall=yes
>         right=10.5.0.2
>         rightsubnet=10.2.1.0/24
>         rightid=@b
>         auto=add
> 
> That works well: I can ping from 10.1.1.2 to 10.2.1.2 and the packets
between
> the gateways are encrypted.
> However that is only a simple setup, to implement my real scenario, I need
to
> use 0.0.0.0/0 as leftsubnet/rightsubnet and use marks.
> So I started keeping the networks unchanged and only added mark=1 to
> both sides for conn net-net. (Planing to replace the subnets with
0.0.0.0/0
> later.)
> 
> Then I could not ping any more, which was expected. So I added a firewall
> rule to gatewayA:
> 
> iptables -t mangle -A PREROUTING -s 10.1.1.0/24 -d 10.2.1.0/24 -j MARK --
> set-mark 1
> 
> Now, the ping gets encrypted and sent to gatewayB. However gatewayB
> does not seem to process it.
> At least it is not forwarded to 10.2.1.2 any more.
> 
> Am I missing something?
> (Note, it worked before adding "mark=1", so it must have something to do
> with that...)
> 
> I am grateful for any hint.
> 
> 
> Best regards,
>   Steffen

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6566 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120513/84ae60cd/attachment.bin>

More information about the Users mailing list