[strongSwan] Connections with marks and iptables

Noel Kuntze noel at familie-kuntze.de
Tue Nov 25 23:10:50 CET 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello list,

I'm trying to set up connections with mark_in and mark_out to implement Active-Passive HA that way.
Howeve, I ran into the problem, that the kernel doesn't seem to want to decapsulate the packets from peers
that have policies with marks set. To make the boxes decapsulate the traffic, I need to assign the correct marks to the esp packets using iptables rules.

Judging from this flow chart [1] , the packets have to be marked correctly before XFRM LOOKUP is hit on any side.
This has to be done in *mangle PREROUTING or *mangle INPUT for INBOUND ESP PACKETS and in *mangle POSTROUTING for FORWARDED packets and *mangle OUTPUT for OUTBOUND packets from the same box (Here: a local process).

Also, what I found was, that although [1] shows that traffic from the box itself to another peer needs to go through *mangle POSTROUTING, but inserting marks there
don't make the policies match. Inserting marks in *mangle OUTPUT fixes that.

Summary:
For marks to work correctly, you need to:
*Mark esp packets or espinudp packets in *mangle PREROUTING or *mangle INPUT.
*Mark traffic that is just forwarded on the box in *mangle POSTROUTING
*Mark traffic that originates from the box in *mangle OUTPUT


[1] http://inai.de/images/nf-packet-flow.png

- -- 

Mit freundlichen Grüßen/Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJUdP5qAAoJEDg5KY9j7GZYX8sQAKALb1BMY4AqvoD24CjcaLB9
YlfNjdtzw1pNzlyS6vvMYPUhwOLzFqckvEYl0LbZKaWtcKBrMUis7zLuAe8qEw5W
Ra7SN0VbMWlBMYLOZK2PT2HzdmJuImxW93CGu0n/DSEc/k6vzGLDz+9R8gSPWD0O
fqFwA8B0Jn780uAlzs6/YRRwPa0yRlm+d0yj2QVqMxT4VMOOdpPAQpcVsHK2GiYy
tzIb8L2ozdxH9J+PVS6G+XIV/U3ZL083gs2G7jkBT5Ww37QKKvlGWOMhWoAoFSf0
btuLTXyribpejBkXw7tRPAPIYNgSZZH0Y+Yn7AJOm7Hy24wkin242y0ZXGP6+ira
Yao45PJ65+z6fHW5X4eo9H6CRLaXaIE9jqWrdyCWcnmnLPOwnCoTqRpfkHnoqRyJ
ySf9TTOZtwQzWQRikisPRAhB0vUQrsGsFTo5scZ/gL84FhHP858rKlzWDbGVuds6
L7SiFbW1yn7OX3XhuTyis54o75Dz6pvawMP/njjLPprH8FJNTr+OY7ldoo392BOw
AnjtC/R+CZcQf5HdiTBge9XpiZdFTo0xN5cFVcJBUovwzJkMYYIgY3hfXwE7QHA4
zPVLHvBdNes4wLLUXyaHXJE/WOpFDT92wUnqYDBdbX05Rr/o3UbRBce3Nl1O0hmo
UWGmCvOE6jU4tK8/f/wd
=/mu/
-----END PGP SIGNATURE-----




More information about the Users mailing list