[strongSwan] Connection marking and multiple tunnels
Noel Kuntze
noel at familie-kuntze.de
Tue May 19 18:08:48 CEST 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hello Justin,
The team discerned that the "mark" feature for XFRM policies was first introduced
in the Linux kernel release 2.6.34. So the kernel on your host is too old to use that feature.
Mit freundlichen Grüßen/Kind Regards,
Noel Kuntze
GPG Key ID: 0x63EC6658
Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
Am 19.05.2015 um 17:54 schrieb Justin Michael Schwartzbeck:
> Strongswan version:
> Linux strongSwan U5.3.0/K2.6.32-279.el6.x86_64
> Institute for Internet Technologies and Applications
> University of Applied Sciences Rapperswil, Switzerland
> See 'ipsec --copyright' for copyright information.
>
> Kernel:
> 2.6.32-279.el6.x86_64
>
> ipsec statusall:
> Status of IKE charon daemon (strongSwan 5.3.0, Linux
> 2.6.32-279.el6.x86_64, x86_64):
> uptime: 16 hours, since May 18 22:46:17 2015
> malloc: sbrk 270336, mmap 0, used 233936, free 36400
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 4
> loaded plugins: charon aes eap-gtc eap-radius des rc2 sha1 sha2 md5
> random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8
> pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr
> kernel-netlink resolve socket-default stroke updown eap-identity
> eap-tls xauth-generic
> Listening IP addresses:
> 10.10.1.191
> 192.168.1.9
> Connections:
> router1: 192.168.1.9...192.168.1.2 IKEv2
> router1: local: uses EAP_GTC authentication with EAP identity 'eapid'
> router1: remote: [192.168.1.2] uses public key authentication
> router1: cert: "CN=cn, O=o"
> router1: child: dynamic === 80.254.145.88/32 TUNNEL
> router3: 192.168.1.9...192.168.1.4 IKEv2
> router3: local: uses EAP_GTC authentication with EAP identity 'eapid'
> router3: remote: [192.168.1.4] uses public key authentication
> router3: cert: "CN=cn, O=o"
> router3: child: dynamic === 80.254.145.88/32 TUNNEL
> router2: 192.168.1.9...192.168.1.3 IKEv2
> router2: local: uses EAP_GTC authentication with EAP identity 'eapid'
> router2: remote: [192.168.1.3] uses public key authentication
> router2: cert: "CN=cn, O=o"
> router2: child: dynamic === 80.254.145.88/32 TUNNEL
> Security Associations (2 up, 0 connecting):
> router2[13]: ESTABLISHED 2 hours ago,
> 192.168.1.9[192.168.1.9]...192.168.1.3[192.168.1.3]
> router2[13]: IKEv2 SPIs: 12c2f546b0e9ba43_i* 47ceac579461a781_r, EAP
> reauthentication in 7 minutes
> router2[13]: IKE proposal: 3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
> router2{49}: INSTALLED, TUNNEL, reqid 13, ESP SPIs: cff86d4e_i 56feaee4_o
> router2{49}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
> in 18 minutes
> router2{49}: 192.168.1.9/32 === 80.254.145.88/32
> router1[12]: ESTABLISHED 2 hours ago,
> 192.168.1.9[192.168.1.9]...192.168.1.2[192.168.1.2]
> router1[12]: IKEv2 SPIs: 57b4b5ec79269b0a_i* 38863975d51e3008_r, EAP
> reauthentication in 4 minutes
> router1[12]: IKE proposal: 3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
> router1{48}: INSTALLED, TUNNEL, reqid 12, ESP SPIs: c22dd9fe_i 1f26b790_o
> router1{48}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
> in 16 minutes
> router1{48}: 192.168.1.9/32 === 80.254.145.88/32
>
> Output of ip -s xfrm policy:
> src 80.254.145.88/32 dst 192.168.1.9/32 uid 0
> dir fwd action allow index 2402 priority 2819 ptype main share any
> flag (0x00000000)
> lifetime config:
> limit: soft (INF)(bytes), hard (INF)(bytes)
> limit: soft (INF)(packets), hard (INF)(packets)
> expire add: soft 0(sec), hard 0(sec)
> expire use: soft 0(sec), hard 0(sec)
> lifetime current:
> 0(bytes), 0(packets)
> add 2015-05-19 15:26:25 use -
> tmpl src 192.168.1.3 dst 192.168.1.9
> proto esp spi 0x00000000(0) reqid 15(0x0000000f) mode tunnel
> level required share any
> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
> src 80.254.145.88/32 dst 192.168.1.9/32 uid 0
> dir in action allow index 2392 priority 2819 ptype main share any
> flag (0x00000000)
> lifetime config:
> limit: soft (INF)(bytes), hard (INF)(bytes)
> limit: soft (INF)(packets), hard (INF)(packets)
> expire add: soft 0(sec), hard 0(sec)
> expire use: soft 0(sec), hard 0(sec)
> lifetime current:
> 0(bytes), 0(packets)
> add 2015-05-19 15:26:25 use -
> tmpl src 192.168.1.3 dst 192.168.1.9
> proto esp spi 0x00000000(0) reqid 15(0x0000000f) mode tunnel
> level required share any
> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
> src 192.168.1.9/32 dst 80.254.145.88/32 uid 0
> dir out action allow index 2385 priority 2819 ptype main share any
> flag (0x00000000)
> lifetime config:
> limit: soft (INF)(bytes), hard (INF)(bytes)
> limit: soft (INF)(packets), hard (INF)(packets)
> expire add: soft 0(sec), hard 0(sec)
> expire use: soft 0(sec), hard 0(sec)
> lifetime current:
> 0(bytes), 0(packets)
> add 2015-05-19 15:26:25 use -
> tmpl src 192.168.1.9 dst 192.168.1.3
> proto esp spi 0x00000000(0) reqid 15(0x0000000f) mode tunnel
> level required share any
> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
> dir 3 action allow index 2067 priority 0 ptype main share any flag
> (0x00000000)
> lifetime config:
> limit: soft 0(bytes), hard 0(bytes)
> limit: soft 0(packets), hard 0(packets)
> expire add: soft 0(sec), hard 0(sec)
> expire use: soft 0(sec), hard 0(sec)
> lifetime current:
> 0(bytes), 0(packets)
> add 2015-05-18 22:46:17 use 2015-05-19 15:26:25
> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
> dir 4 action allow index 2060 priority 0 ptype main share any flag
> (0x00000000)
> lifetime config:
> limit: soft 0(bytes), hard 0(bytes)
> limit: soft 0(packets), hard 0(packets)
> expire add: soft 0(sec), hard 0(sec)
> expire use: soft 0(sec), hard 0(sec)
> lifetime current:
> 0(bytes), 0(packets)
> add 2015-05-18 22:46:17 use 2015-05-19 15:26:25
> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
> dir 3 action allow index 2051 priority 0 ptype main share any flag
> (0x00000000)
> lifetime config:
> limit: soft 0(bytes), hard 0(bytes)
> limit: soft 0(packets), hard 0(packets)
> expire add: soft 0(sec), hard 0(sec)
> expire use: soft 0(sec), hard 0(sec)
> lifetime current:
> 0(bytes), 0(packets)
> add 2015-05-18 22:46:17 use 2015-05-19 15:26:25
> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
> dir 4 action allow index 2044 priority 0 ptype main share any flag
> (0x00000000)
> lifetime config:
> limit: soft 0(bytes), hard 0(bytes)
> limit: soft 0(packets), hard 0(packets)
> expire add: soft 0(sec), hard 0(sec)
> expire use: soft 0(sec), hard 0(sec)
> lifetime current:
> 0(bytes), 0(packets)
> add 2015-05-18 22:46:17 use 2015-05-19 15:26:25
> src ::/0 dst ::/0 uid 0
> dir 3 action allow index 2035 priority 0 ptype main share any flag
> (0x00000000)
> lifetime config:
> limit: soft 0(bytes), hard 0(bytes)
> limit: soft 0(packets), hard 0(packets)
> expire add: soft 0(sec), hard 0(sec)
> expire use: soft 0(sec), hard 0(sec)
> lifetime current:
> 0(bytes), 0(packets)
> add 2015-05-18 22:46:17 use -
> src ::/0 dst ::/0 uid 0
> dir 4 action allow index 2028 priority 0 ptype main share any flag
> (0x00000000)
> lifetime config:
> limit: soft 0(bytes), hard 0(bytes)
> limit: soft 0(packets), hard 0(packets)
> expire add: soft 0(sec), hard 0(sec)
> expire use: soft 0(sec), hard 0(sec)
> lifetime current:
> 0(bytes), 0(packets)
> add 2015-05-18 22:46:17 use -
> src ::/0 dst ::/0 uid 0
> dir 3 action allow index 2019 priority 0 ptype main share any flag
> (0x00000000)
> lifetime config:
> limit: soft 0(bytes), hard 0(bytes)
> limit: soft 0(packets), hard 0(packets)
> expire add: soft 0(sec), hard 0(sec)
> expire use: soft 0(sec), hard 0(sec)
> lifetime current:
> 0(bytes), 0(packets)
> add 2015-05-18 22:46:17 use -
> src ::/0 dst ::/0 uid 0
> dir 4 action allow index 2012 priority 0 ptype main share any flag
> (0x00000000)
> lifetime config:
> limit: soft 0(bytes), hard 0(bytes)
> limit: soft 0(packets), hard 0(packets)
> expire add: soft 0(sec), hard 0(sec)
> expire use: soft 0(sec), hard 0(sec)
> lifetime current:
> 0(bytes), 0(packets)
> add 2015-05-18 22:46:17 use -
>
> Output at startup:
> May 19 15:46:16 client-138-01 charon: 00[DMN] Starting IKE charon
> daemon (strongSwan 5.3.0, Linux 2.6.32-279.el6.x86_64, x86_64)
> May 19 15:46:16 client-138-01 charon: 00[CFG] no RADIUS secret defined
> May 19 15:46:16 client-138-01 charon: 00[CFG] loading ca certificates
> from '<path to cert>'
> May 19 15:46:16 client-138-01 charon: 00[CFG] loaded ca certificate
> "C=US, ST=California, L=San Jose, O=o, OU=SBG-SCO, CN=Cisco" from
> '<path to cert>'
> May 19 15:46:16 client-138-01 charon: 00[CFG] ca certificate "CN=cn,
> O=o" lacks ca basic constraint, discarded
> May 19 15:46:16 client-138-01 charon: 00[CFG] loaded ca certificate
> "C=US, ST=California, L=San Jose, O=o, OU=SBG-SCO, CN=Cisco" from
> '<path to cert>'
> May 19 15:46:16 client-138-01 charon: 00[CFG] ca certificate
> "CN=172.16.1.2, O=o" lacks ca basic constraint, discarded
> May 19 15:46:16 client-138-01 charon: 00[CFG] loaded ca certificate
> "C=US, ST=California, L=San Jose, O=o, OU=SBG-SCO, CN=Cisco" from
> '<path to cert>'
> May 19 15:46:16 client-138-01 charon: 00[CFG] loaded ca certificate
> "C=US, ST=California, L=San Jose, O=o, OU=SBG-SCO, CN=Cisco" from
> '<path to cert>'
> May 19 15:46:16 client-138-01 charon: 00[CFG] loading aa certificates
> from '<path to cert>'
> May 19 15:46:16 client-138-01 charon: 00[CFG] loading ocsp signer
> certificates from '<path to cert>'
> May 19 15:46:16 client-138-01 charon: 00[CFG] loading attribute
> certificates from '<path to cert>'
> May 19 15:46:16 client-138-01 charon: 00[CFG] loading crls from '<path to crl>'
> May 19 15:46:16 client-138-01 charon: 00[CFG] loading secrets from
> '/etc/ipsec.secrets'
> May 19 15:46:16 client-138-01 charon: 00[CFG] loaded EAP secret for
> 9PZ0FWZ53LB::ISR::15.5(20150320:193940)::20
> May 19 15:46:16 client-138-01 charon: 00[LIB] loaded plugins: charon
> aes eap-gtc eap-radius des rc2 sha1 sha2 md5 random nonce x509
> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
> sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve
> socket-default stroke updown eap-identity eap-tls xauth-generic
> May 19 15:46:16 client-138-01 charon: 00[JOB] spawning 16 worker threads
> May 19 15:46:16 client-138-01 charon: 05[CFG] received stroke: add
> connection 'router1'
> May 19 15:46:16 client-138-01 charon: 05[CFG] loaded certificate
> "CN=cn, O=o" from '<path to cert>'
> May 19 15:46:16 client-138-01 charon: 05[CFG] added configuration 'router1'
> May 19 15:46:16 client-138-01 charon: 07[CFG] received stroke: add
> connection 'router3'
> May 19 15:46:16 client-138-01 charon: 07[CFG] loaded certificate
> "CN=cn, O=o" from '<path to cert>'
> May 19 15:46:16 client-138-01 charon: 07[CFG] added configuration 'router3'
> May 19 15:46:16 client-138-01 charon: 09[CFG] received stroke: add
> connection 'router2'
> May 19 15:46:16 client-138-01 charon: 09[CFG] loaded certificate
> "CN=cn, O=o" from '<path to cert>'
> May 19 15:46:16 client-138-01 charon: 09[CFG] added configuration 'router2'
>
>
>
> On Tue, May 19, 2015 at 10:08 AM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>>
> Hello Justin,
>
> I have the following questions:
>
> What strongSwan version do you use?
> What kernel version do you use?
> What is the output of "ipsec statusall", when both tunnels are up?
> What is the output of "ip -s xfrm policy"?
> Do you have a log of the start of strongswan, so we can see if the parser picks it up?
>
> Also, please only set mark_out.
> Otherwise, you also have to apply the mark in *mangle INPUT (or PREROUTING),
> so the kernel decapsulates the packets.
>
> It seems as the kernel either does know mark values as part of XFRM policies
> or the parser does not pick it up.
>
> Mit freundlichen Grüßen/Kind Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>
> Am 19.05.2015 um 16:34 schrieb Justin Michael Schwartzbeck:
> >>> Hello,
> >>>
> >>> I was following another thread where it was explained how to use the
> >>> iptables MARK target in order to select which tunnel to send traffic
> >>> through when I have multiple tunnels up on a peer. It was said that if
> >>> you set the "mark" value in ipsec.conf for each tunnel, then you can
> >>> mark your traffic using iptables and it will go through the tunnel
> >>> that has the same mark. I will describe here my situation and then
> >>> show you my configuration.
> >>>
> >>> I have three machines, two routers and one client. On the client I am
> >>> using strongswan as the vpn client. When I start strongswan I am able
> >>> to connect to both router1 and router2 over vpn using strongswan. On
> >>> my client I have router1 configured with "mark=12" and router2
> >>> configured with "mark=13." I use iptables to mark all outgoing tcp
> >>> traffic with either 12 or 13. However, when I send traffic, say HTTP
> >>> traffic, then all of the traffic is just routed through the last
> >>> tunnel that I brought up (i.e. if I bring up router1 and then router2,
> >>> then it is routed through router2, and vice versa). It is like the
> >>> connection marking is not even being recognized.
> >>>
> >>> Here is my configuration:
> >>>
> >>> conn router1
> >>> keyexchange=ikev2
> >>> ike=3des-md5-modp1024
> >>> esp=aes256-sha
> >>> left=192.168.1.9
> >>> leftid=%any
> >>> leftauth=eap-gtc
> >>> rightcert=<path to cert>
> >>> right=192.168.1.2
> >>> rightsubnet=80.254.145.88/32
> >>> eap_identity=<eap identity 1>
> >>> mark=12
> >>> auto=add
> >>> type=tunnel
> >>>
> >>> conn router2
> >>> keyexchange=ikev2
> >>> ike=3des-md5-modp1024
> >>> esp=aes256-sha
> >>> left=192.168.1.9
> >>> leftid=%any
> >>> leftauth=eap-gtc
> >>> rightcert=<path to cert>
> >>> right=192.168.1.3
> >>> rightsubnet=80.254.145.88/32
> >>> eap_identity=<eap identity 2>
> >>> mark=13
> >>> auto=add
> >>> type=tunnel
> >>>
> >>> Here are the iptables commands I am using. For router 1:
> >>> iptables -t mangle -A OUTPUT -j MARK --set-mark 12
> >>>
> >>> And for router 2:
> >>> iptables -t mangle -A OUTPUT -j MARK --set-mark 13
> >>>
> >>> Any help would be appreciated.
> >>> Thanks,
> >>> Justin
> >>> _______________________________________________
> >>> Users mailing list
> >>> Users at lists.strongswan.org
> >>> https://lists.strongswan.org/mailman/listinfo/users
>
>>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJVW2AQAAoJEDg5KY9j7GZYtGoP/1ce+at0tTLi4eTyKv9Imfl1
qfTY+77f9zRMeTioJ75hdPx1XUYXi6WGBTMOOqc5fK/Ng790wfCrHyi3HSKZARIu
5zqbOv9W4YU6i7nGIvAadwGDF9ZzhwbT8HmaIMvqySisFgmFy6C9nuFKJde4pTCw
CM+m2u5gPF0hfImvaaDhmPa747vfGP1TzvMbXvrSbQ1RCor5H4TIHypMaSYqiKbd
uAYEjve6siO3Bx97tarl71QxoYFGEsRBB5R3IgDYTtosxzdwxZG5JZcG2T8pXlAH
PPmAjni5lvsmG7ST++eqgdG5O/Icfsf5/hVJSOEClhZAnYxTYFkQhLJ8hfHzYB4V
COsNr6C+X8gkJbU0geyjGa9F4xEa9Q36a/sQeffAJEnj4g4vLD9iRsXLmJZiefJ9
vRnIojhSH9yBYZWI4CaH+aKg2cUEuJNM8vDUd+D3XVmIBut6qdYkf6FJFJ7EnuY0
aCoiWv4jIBUb1sNuLVO8h7KM2NWJN3PkMYo4GtfYD2wP+B3JWRkS9dzyFUIgPo9J
X1Y3sucEeoEQSekU7WzMotmHpVJ23MfaGcZn6kt9V8cdZqCf52iDA8h4B+Vaq2Wq
dWld9HwEu5sJIbIx4BFL9i58kg60fu1ODNbddtiomNelIZwtMt3ygZl9/pYj/E2N
d0nCr4cEDbE/M9unJFCs
=B2x0
-----END PGP SIGNATURE-----
More information about the Users
mailing list