[strongSwan] Question on Marks

Jani Lahtinen jani.lahtinen at stonesoft.com
Thu Feb 27 08:29:55 CET 2014


I am trying to set up a mobile VPN to a gateway on user1 and only use 
this VPN for the user user1. I am using the test net2net-psk-dscp as guide.

My ipsec.conf:

conn gw1
     left=%any
     leftsourceipc=%config
     leftauth=eap
     right=10.1.1.2
     rightsubnet=192.168.1.0/24
     keyexchange=ikev2
     auto=add

conn gw1-1
     leftid=user1
     mark=0x1
     also=gw1

I then set the mark for connections of user1 by:

$ iptables -t mangle -A OUTPUT -m owner --uid-owner user1 -j MARK 
--set-mark 1
$ iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT

$ ip x s
src 10.1.1.1 dst 10.1.1.2
     proto esp spi 0x46f4cfd8 reqid 1 mode tunnel
     replay-window 32 flag af-unspec
     mark 1/0xffffffff
     auth-trunc hmac(sha1) 0xdbc93607662c2694bf5468faa65ef5145267b105 96
     enc cbc(aes) 0x98f9e1f1773abd2b05c1ef2f079c7e89
src 10.1.1.2 dst 10.1.1.1
     proto esp spi 0xc8fa3f15 reqid 1 mode tunnel
     replay-window 32 flag af-unspec
     mark 1/0xffffffff
     auth-trunc hmac(sha1) 0x8732a029574e2a1ff80d814e80bcdfe9df450912 96
     enc cbc(aes) 0x6544dceee1c91748f335d25931938a6c

$ ip x p
src 192.168.1.0/24 dst 192.168.1.127/32
     dir fwd priority 1827
     mark 1/0xffffffff
     tmpl src 10.1.1.2 dst 10.1.1.1
         proto esp reqid 1 mode tunnel
src 192.168.1.0/24 dst 192.168.1.127/32
     dir in priority 1827
     mark 1/0xffffffff
     tmpl src 10.1.1.2 dst 10.1.1.1
         proto esp reqid 1 mode tunnel
src 192.168.1.127/32 dst 192.168.1.0/24
     dir out priority 1827
     mark 1/0xffffffff
     tmpl src 10.1.1.1 dst 10.1.1.2
         proto esp reqid 1 mode tunnel

But when I ping a server behind the firewall with:

$ sudo -u user1 ping 192.168.1.5

I can see with tcpdump that the ESP packets get to the gateway, the 
server 192.168.1.5 receives the ping request and answers it, ESP packets 
are sent from the gateway to the client but the user1 ping is not 
receiving them.

$ ipsec --version
Linux strongSwan U5.1.1/K3.11.0-17-generic

Am I doing something wrong?




More information about the Users mailing list