[strongSwan] Connection marking and multiple tunnels
Justin Michael Schwartzbeck
justinmschw at gmail.com
Tue May 19 16:34:53 CEST 2015
Hello,
I was following another thread where it was explained how to use the
iptables MARK target in order to select which tunnel to send traffic
through when I have multiple tunnels up on a peer. It was said that if
you set the "mark" value in ipsec.conf for each tunnel, then you can
mark your traffic using iptables and it will go through the tunnel
that has the same mark. I will describe here my situation and then
show you my configuration.
I have three machines, two routers and one client. On the client I am
using strongswan as the vpn client. When I start strongswan I am able
to connect to both router1 and router2 over vpn using strongswan. On
my client I have router1 configured with "mark=12" and router2
configured with "mark=13." I use iptables to mark all outgoing tcp
traffic with either 12 or 13. However, when I send traffic, say HTTP
traffic, then all of the traffic is just routed through the last
tunnel that I brought up (i.e. if I bring up router1 and then router2,
then it is routed through router2, and vice versa). It is like the
connection marking is not even being recognized.
Here is my configuration:
conn router1
keyexchange=ikev2
ike=3des-md5-modp1024
esp=aes256-sha
left=192.168.1.9
leftid=%any
leftauth=eap-gtc
rightcert=<path to cert>
right=192.168.1.2
rightsubnet=80.254.145.88/32
eap_identity=<eap identity 1>
mark=12
auto=add
type=tunnel
conn router2
keyexchange=ikev2
ike=3des-md5-modp1024
esp=aes256-sha
left=192.168.1.9
leftid=%any
leftauth=eap-gtc
rightcert=<path to cert>
right=192.168.1.3
rightsubnet=80.254.145.88/32
eap_identity=<eap identity 2>
mark=13
auto=add
type=tunnel
Here are the iptables commands I am using. For router 1:
iptables -t mangle -A OUTPUT -j MARK --set-mark 12
And for router 2:
iptables -t mangle -A OUTPUT -j MARK --set-mark 13
Any help would be appreciated.
Thanks,
Justin
More information about the Users
mailing list