[strongSwan] Problems selecting packets using reqid
Steffen Heil (Mailinglisten)
lists at steffen-heil.de
Sat May 19 15:35:41 CEST 2012
Hi
I have the following ipsec.conf configuration:
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
plutostart=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
authby=secret
keyexchange=ikev2
mobike=no
conn net-net
mark=1
reqid=1
left=10.5.0.1
leftsubnet=10.1.1.0/24
leftid=@a
leftfirewall=no
right=10.5.0.2
rightsubnet=10.2.1.0/24
rightid=@b
auto=add
Resulting in:
# ip x s
src 10.5.0.1 dst 10.5.0.2
proto esp spi 0xc33ac448 reqid 1 mode tunnel
replay-window 32 flag af-unspec
mark 1/0xffffffff
auth-trunc hmac(sha1) 0xc63951931fe6fb629186fc4ae4f9d565f4e739d3 96
enc cbc(aes) 0xfb604b0457b3face7cd365c4d42ffaeb
src 10.5.0.2 dst 10.5.0.1
proto esp spi 0xcff3c297 reqid 1 mode tunnel
replay-window 32 flag af-unspec
mark 1/0xffffffff
auth-trunc hmac(sha1) 0xa9c8b6721fa8c35100536a7d5c645f163003466d 96
enc cbc(aes) 0x270dd859c97dcc0d61efd691a23529e8
This works, because I have the following iptables rules:
-A PREROUTING -s 10.1.1.0/24 -d 10.2.1.0/24 -j MARK --set-xmark
0x1/0xffffffff
-A PREROUTING -p esp -m esp --espspi 0xcff3c297 -j MARK --set-xmark
0x1/0xffffffff
The problem is, that the second rule is dependent on the spi, which changes
over time.
I would prefer to use reqid but the following rules don't work:
-A PREROUTING -s 10.1.1.0/24 -d 10.2.1.0/24 -j MARK --set-xmark
0x1/0xffffffff
-A PREROUTING -p esp -m policy --dir in --reqid 1 -j MARK --set-xmark
0x1/0xffffffff
Is there anything I am missing?
Any hint?
Regards,
Steffen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6566 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20120519/b864d81e/attachment.bin>
More information about the Users
mailing list