[strongSwan] Connection marking and multiple tunnels

Tue May 19 17:08:48 CEST 2015

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Justin,

I have the following questions:

What strongSwan version do you use?
What kernel version do you use?
What is the output of "ipsec statusall", when both tunnels are up?
What is the output of "ip -s xfrm policy"?
Do you have a log of the start of strongswan, so we can see if the parser picks it up?

Also, please only set mark_out.
Otherwise, you also have to apply the mark in *mangle INPUT (or PREROUTING),
so the kernel decapsulates the packets.

It seems as the kernel either does know mark values as part of XFRM policies
or the parser does not pick it up.

Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze

GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658

Am 19.05.2015 um 16:34 schrieb Justin Michael Schwartzbeck:
> Hello,
>
> I was following another thread where it was explained how to use the
> iptables MARK target in order to select which tunnel to send traffic
> through when I have multiple tunnels up on a peer. It was said that if
> you set the "mark" value in ipsec.conf for each tunnel, then you can
> mark your traffic using iptables and it will go through the tunnel
> that has the same mark. I will describe here my situation and then
> show you my configuration.
>
> I have three machines, two routers and one client. On the client I am
> using strongswan as the vpn client. When I start strongswan I am able
> to connect to both router1 and router2 over vpn using strongswan. On
> my client I have router1 configured with "mark=12" and router2
> configured with "mark=13." I use iptables to mark all outgoing tcp
> traffic with either 12 or 13. However, when I send traffic, say HTTP
> traffic, then all of the traffic is just routed through the last
> tunnel that I brought up (i.e. if I bring up router1 and then router2,
> then it is routed through router2, and vice versa). It is like the
> connection marking is not even being recognized.
>
> Here is my configuration:
>
> conn router1
>       keyexchange=ikev2
>       ike=3des-md5-modp1024
>       esp=aes256-sha
>       left=192.168.1.9
>       leftid=%any
>       leftauth=eap-gtc
>       rightcert=<path to cert>
>       right=192.168.1.2
>       rightsubnet=80.254.145.88/32
>       eap_identity=<eap identity 1>
>       mark=12
>       auto=add
>       type=tunnel
>
> conn router2
>       keyexchange=ikev2
>       ike=3des-md5-modp1024
>       esp=aes256-sha
>       left=192.168.1.9
>       leftid=%any
>       leftauth=eap-gtc
>       rightcert=<path to cert>
>       right=192.168.1.3
>       rightsubnet=80.254.145.88/32
>       eap_identity=<eap identity 2>
>       mark=13
>       auto=add
>       type=tunnel
>
> Here are the iptables commands I am  using. For router 1:
> iptables -t mangle -A OUTPUT -j MARK --set-mark 12
>
> And for router 2:
> iptables -t mangle -A OUTPUT -j MARK --set-mark 13
>
> Any help would be appreciated.
> Thanks,
> Justin
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJVW1H8AAoJEDg5KY9j7GZYZbAP/00fLDF6N1bbP8pcYS9qmooV
6V/jlq26gQe+06ZmzyP+9cbnBWiiJ/aEK7ViOD1X+bxZpDU7YfNuac1e+Vhcjn5b
Sf0QtNE2VkJUPg3xUMUXhalIuW5hovrXmp8O8ZvgDXvhixEm4OBGq7D4c/qpHbzq
vNB9CWi6eHbRzJ5TjxG422zx5/u+N9wK+PRC3FNA4FCfLk+AD5BXblkrL4hlL6u0
Pzkx/ZT9eNq1GYHayzkTP/BLEI+Zl78/zGVHCIzOflQsrI8Q5x3jxhPShrG/oGT3
FU6GPQfkLl8Q9NmkZeqvPtlglpfF7Bp8CQe/NMCyevKAJDToIplIpf7k0guapUXw
TlbYdvZ/itzv0uFm2/NDeL5qnfQqGWcKktzUjTbwb726f8Eyil0qQ/duJSYEl0ag
5D9ihGDQdDZ+hSJav0E839PGwEaDzc68X0uOFewHQWZJrLJLS3lFQMJHatwjff20
4cE63ZZ9Elo24Ujl20uCQc70z16HgUFf7BFF6w5LOrEF7KMusxwj0N3mXskZZh3T
aniztPPwM+SXN2r4e2kKYlSf/5K0mR90BcLHRJN0PS5qB6XVcqQFLXcD+W1kz/Qp
MP38Z+uGAVi7ngau/m4BtPEkf/0HWi9Cg1jKPmuBqXbPm8dxtYwdk8oY+hZytXc7
ZK4eRpxULyy9bwVFM2N4
=Buwd
-----END PGP SIGNATURE-----