[strongSwan] Connection marking and multiple tunnels

Noel Kuntze noel at familie-kuntze.de
Tue May 19 17:08:48 CEST 2015

Hash: SHA256

Hello Justin,

I have the following questions:

What strongSwan version do you use?
What kernel version do you use?
What is the output of "ipsec statusall", when both tunnels are up?
What is the output of "ip -s xfrm policy"?
Do you have a log of the start of strongswan, so we can see if the parser picks it up?

Also, please only set mark_out.
Otherwise, you also have to apply the mark in *mangle INPUT (or PREROUTING),
so the kernel decapsulates the packets.

It seems as the kernel either does know mark values as part of XFRM policies
or the parser does not pick it up.

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 19.05.2015 um 16:34 schrieb Justin Michael Schwartzbeck:
> Hello,
> I was following another thread where it was explained how to use the
> iptables MARK target in order to select which tunnel to send traffic
> through when I have multiple tunnels up on a peer. It was said that if
> you set the "mark" value in ipsec.conf for each tunnel, then you can
> mark your traffic using iptables and it will go through the tunnel
> that has the same mark. I will describe here my situation and then
> show you my configuration.
> I have three machines, two routers and one client. On the client I am
> using strongswan as the vpn client. When I start strongswan I am able
> to connect to both router1 and router2 over vpn using strongswan. On
> my client I have router1 configured with "mark=12" and router2
> configured with "mark=13." I use iptables to mark all outgoing tcp
> traffic with either 12 or 13. However, when I send traffic, say HTTP
> traffic, then all of the traffic is just routed through the last
> tunnel that I brought up (i.e. if I bring up router1 and then router2,
> then it is routed through router2, and vice versa). It is like the
> connection marking is not even being recognized.
> Here is my configuration:
> conn router1
>       keyexchange=ikev2
>       ike=3des-md5-modp1024
>       esp=aes256-sha
>       left=
>       leftid=%any
>       leftauth=eap-gtc
>       rightcert=<path to cert>
>       right=
>       rightsubnet=
>       eap_identity=<eap identity 1>
>       mark=12
>       auto=add
>       type=tunnel
> conn router2
>       keyexchange=ikev2
>       ike=3des-md5-modp1024
>       esp=aes256-sha
>       left=
>       leftid=%any
>       leftauth=eap-gtc
>       rightcert=<path to cert>
>       right=
>       rightsubnet=
>       eap_identity=<eap identity 2>
>       mark=13
>       auto=add
>       type=tunnel
> Here are the iptables commands I am  using. For router 1:
> iptables -t mangle -A OUTPUT -j MARK --set-mark 12
> And for router 2:
> iptables -t mangle -A OUTPUT -j MARK --set-mark 13
> Any help would be appreciated.
> Thanks,
> Justin
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

Version: GnuPG v2


More information about the Users mailing list