[strongSwan] Question on Marks
Jani Lahtinen
jani.lahtinen at stonesoft.com
Thu Feb 27 08:29:55 CET 2014
I am trying to set up a mobile VPN to a gateway on user1 and only use
this VPN for the user user1. I am using the test net2net-psk-dscp as guide.
My ipsec.conf:
conn gw1
left=%any
leftsourceipc=%config
leftauth=eap
right=10.1.1.2
rightsubnet=192.168.1.0/24
keyexchange=ikev2
auto=add
conn gw1-1
leftid=user1
mark=0x1
also=gw1
I then set the mark for connections of user1 by:
$ iptables -t mangle -A OUTPUT -m owner --uid-owner user1 -j MARK
--set-mark 1
$ iptables -A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
$ ip x s
src 10.1.1.1 dst 10.1.1.2
proto esp spi 0x46f4cfd8 reqid 1 mode tunnel
replay-window 32 flag af-unspec
mark 1/0xffffffff
auth-trunc hmac(sha1) 0xdbc93607662c2694bf5468faa65ef5145267b105 96
enc cbc(aes) 0x98f9e1f1773abd2b05c1ef2f079c7e89
src 10.1.1.2 dst 10.1.1.1
proto esp spi 0xc8fa3f15 reqid 1 mode tunnel
replay-window 32 flag af-unspec
mark 1/0xffffffff
auth-trunc hmac(sha1) 0x8732a029574e2a1ff80d814e80bcdfe9df450912 96
enc cbc(aes) 0x6544dceee1c91748f335d25931938a6c
$ ip x p
src 192.168.1.0/24 dst 192.168.1.127/32
dir fwd priority 1827
mark 1/0xffffffff
tmpl src 10.1.1.2 dst 10.1.1.1
proto esp reqid 1 mode tunnel
src 192.168.1.0/24 dst 192.168.1.127/32
dir in priority 1827
mark 1/0xffffffff
tmpl src 10.1.1.2 dst 10.1.1.1
proto esp reqid 1 mode tunnel
src 192.168.1.127/32 dst 192.168.1.0/24
dir out priority 1827
mark 1/0xffffffff
tmpl src 10.1.1.1 dst 10.1.1.2
proto esp reqid 1 mode tunnel
But when I ping a server behind the firewall with:
$ sudo -u user1 ping 192.168.1.5
I can see with tcpdump that the ESP packets get to the gateway, the
server 192.168.1.5 receives the ping request and answers it, ESP packets
are sent from the gateway to the client but the user1 ping is not
receiving them.
$ ipsec --version
Linux strongSwan U5.1.1/K3.11.0-17-generic
Am I doing something wrong?
More information about the Users
mailing list