[strongSwan] Connection marking and multiple tunnels
Justin Michael Schwartzbeck
justinmschw at gmail.com
Thu May 21 19:11:24 CEST 2015
Sorry, I didn't realize that I was replying only to you and not the
list. I upgraded my kernel to 3.10 and now it is working
correctly. Thank you for your help.
On Tue, May 19, 2015 at 3:10 PM, Justin Michael Schwartzbeck
<justinmschw at gmail.com> wrote:
> Hi Noel, I upgraded my kernel to 3.10 and now it is working
> correctly. Thank you for your help.
>
> On Tue, May 19, 2015 at 11:08 AM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Hello Justin,
>>
>> The team discerned that the "mark" feature for XFRM policies was first introduced
>> in the Linux kernel release 2.6.34. So the kernel on your host is too old to use that feature.
>>
>> Mit freundlichen Grüßen/Kind Regards,
>> Noel Kuntze
>>
>> GPG Key ID: 0x63EC6658
>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>
>> Am 19.05.2015 um 17:54 schrieb Justin Michael Schwartzbeck:
>>> Strongswan version:
>>> Linux strongSwan U5.3.0/K2.6.32-279.el6.x86_64
>>> Institute for Internet Technologies and Applications
>>> University of Applied Sciences Rapperswil, Switzerland
>>> See 'ipsec --copyright' for copyright information.
>>>
>>> Kernel:
>>> 2.6.32-279.el6.x86_64
>>>
>>> ipsec statusall:
>>> Status of IKE charon daemon (strongSwan 5.3.0, Linux
>>> 2.6.32-279.el6.x86_64, x86_64):
>>> uptime: 16 hours, since May 18 22:46:17 2015
>>> malloc: sbrk 270336, mmap 0, used 233936, free 36400
>>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
>>> scheduled: 4
>>> loaded plugins: charon aes eap-gtc eap-radius des rc2 sha1 sha2 md5
>>> random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8
>>> pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr
>>> kernel-netlink resolve socket-default stroke updown eap-identity
>>> eap-tls xauth-generic
>>> Listening IP addresses:
>>> 10.10.1.191
>>> 192.168.1.9
>>> Connections:
>>> router1: 192.168.1.9...192.168.1.2 IKEv2
>>> router1: local: uses EAP_GTC authentication with EAP identity 'eapid'
>>> router1: remote: [192.168.1.2] uses public key authentication
>>> router1: cert: "CN=cn, O=o"
>>> router1: child: dynamic === 80.254.145.88/32 TUNNEL
>>> router3: 192.168.1.9...192.168.1.4 IKEv2
>>> router3: local: uses EAP_GTC authentication with EAP identity 'eapid'
>>> router3: remote: [192.168.1.4] uses public key authentication
>>> router3: cert: "CN=cn, O=o"
>>> router3: child: dynamic === 80.254.145.88/32 TUNNEL
>>> router2: 192.168.1.9...192.168.1.3 IKEv2
>>> router2: local: uses EAP_GTC authentication with EAP identity 'eapid'
>>> router2: remote: [192.168.1.3] uses public key authentication
>>> router2: cert: "CN=cn, O=o"
>>> router2: child: dynamic === 80.254.145.88/32 TUNNEL
>>> Security Associations (2 up, 0 connecting):
>>> router2[13]: ESTABLISHED 2 hours ago,
>>> 192.168.1.9[192.168.1.9]...192.168.1.3[192.168.1.3]
>>> router2[13]: IKEv2 SPIs: 12c2f546b0e9ba43_i* 47ceac579461a781_r, EAP
>>> reauthentication in 7 minutes
>>> router2[13]: IKE proposal: 3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
>>> router2{49}: INSTALLED, TUNNEL, reqid 13, ESP SPIs: cff86d4e_i 56feaee4_o
>>> router2{49}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
>>> in 18 minutes
>>> router2{49}: 192.168.1.9/32 === 80.254.145.88/32
>>> router1[12]: ESTABLISHED 2 hours ago,
>>> 192.168.1.9[192.168.1.9]...192.168.1.2[192.168.1.2]
>>> router1[12]: IKEv2 SPIs: 57b4b5ec79269b0a_i* 38863975d51e3008_r, EAP
>>> reauthentication in 4 minutes
>>> router1[12]: IKE proposal: 3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
>>> router1{48}: INSTALLED, TUNNEL, reqid 12, ESP SPIs: c22dd9fe_i 1f26b790_o
>>> router1{48}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
>>> in 16 minutes
>>> router1{48}: 192.168.1.9/32 === 80.254.145.88/32
>>>
>>> Output of ip -s xfrm policy:
>>> src 80.254.145.88/32 dst 192.168.1.9/32 uid 0
>>> dir fwd action allow index 2402 priority 2819 ptype main share any
>>> flag (0x00000000)
>>> lifetime config:
>>> limit: soft (INF)(bytes), hard (INF)(bytes)
>>> limit: soft (INF)(packets), hard (INF)(packets)
>>> expire add: soft 0(sec), hard 0(sec)
>>> expire use: soft 0(sec), hard 0(sec)
>>> lifetime current:
>>> 0(bytes), 0(packets)
>>> add 2015-05-19 15:26:25 use -
>>> tmpl src 192.168.1.3 dst 192.168.1.9
>>> proto esp spi 0x00000000(0) reqid 15(0x0000000f) mode tunnel
>>> level required share any
>>> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
>>> src 80.254.145.88/32 dst 192.168.1.9/32 uid 0
>>> dir in action allow index 2392 priority 2819 ptype main share any
>>> flag (0x00000000)
>>> lifetime config:
>>> limit: soft (INF)(bytes), hard (INF)(bytes)
>>> limit: soft (INF)(packets), hard (INF)(packets)
>>> expire add: soft 0(sec), hard 0(sec)
>>> expire use: soft 0(sec), hard 0(sec)
>>> lifetime current:
>>> 0(bytes), 0(packets)
>>> add 2015-05-19 15:26:25 use -
>>> tmpl src 192.168.1.3 dst 192.168.1.9
>>> proto esp spi 0x00000000(0) reqid 15(0x0000000f) mode tunnel
>>> level required share any
>>> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
>>> src 192.168.1.9/32 dst 80.254.145.88/32 uid 0
>>> dir out action allow index 2385 priority 2819 ptype main share any
>>> flag (0x00000000)
>>> lifetime config:
>>> limit: soft (INF)(bytes), hard (INF)(bytes)
>>> limit: soft (INF)(packets), hard (INF)(packets)
>>> expire add: soft 0(sec), hard 0(sec)
>>> expire use: soft 0(sec), hard 0(sec)
>>> lifetime current:
>>> 0(bytes), 0(packets)
>>> add 2015-05-19 15:26:25 use -
>>> tmpl src 192.168.1.9 dst 192.168.1.3
>>> proto esp spi 0x00000000(0) reqid 15(0x0000000f) mode tunnel
>>> level required share any
>>> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
>>> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
>>> dir 3 action allow index 2067 priority 0 ptype main share any flag
>>> (0x00000000)
>>> lifetime config:
>>> limit: soft 0(bytes), hard 0(bytes)
>>> limit: soft 0(packets), hard 0(packets)
>>> expire add: soft 0(sec), hard 0(sec)
>>> expire use: soft 0(sec), hard 0(sec)
>>> lifetime current:
>>> 0(bytes), 0(packets)
>>> add 2015-05-18 22:46:17 use 2015-05-19 15:26:25
>>> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
>>> dir 4 action allow index 2060 priority 0 ptype main share any flag
>>> (0x00000000)
>>> lifetime config:
>>> limit: soft 0(bytes), hard 0(bytes)
>>> limit: soft 0(packets), hard 0(packets)
>>> expire add: soft 0(sec), hard 0(sec)
>>> expire use: soft 0(sec), hard 0(sec)
>>> lifetime current:
>>> 0(bytes), 0(packets)
>>> add 2015-05-18 22:46:17 use 2015-05-19 15:26:25
>>> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
>>> dir 3 action allow index 2051 priority 0 ptype main share any flag
>>> (0x00000000)
>>> lifetime config:
>>> limit: soft 0(bytes), hard 0(bytes)
>>> limit: soft 0(packets), hard 0(packets)
>>> expire add: soft 0(sec), hard 0(sec)
>>> expire use: soft 0(sec), hard 0(sec)
>>> lifetime current:
>>> 0(bytes), 0(packets)
>>> add 2015-05-18 22:46:17 use 2015-05-19 15:26:25
>>> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0
>>> dir 4 action allow index 2044 priority 0 ptype main share any flag
>>> (0x00000000)
>>> lifetime config:
>>> limit: soft 0(bytes), hard 0(bytes)
>>> limit: soft 0(packets), hard 0(packets)
>>> expire add: soft 0(sec), hard 0(sec)
>>> expire use: soft 0(sec), hard 0(sec)
>>> lifetime current:
>>> 0(bytes), 0(packets)
>>> add 2015-05-18 22:46:17 use 2015-05-19 15:26:25
>>> src ::/0 dst ::/0 uid 0
>>> dir 3 action allow index 2035 priority 0 ptype main share any flag
>>> (0x00000000)
>>> lifetime config:
>>> limit: soft 0(bytes), hard 0(bytes)
>>> limit: soft 0(packets), hard 0(packets)
>>> expire add: soft 0(sec), hard 0(sec)
>>> expire use: soft 0(sec), hard 0(sec)
>>> lifetime current:
>>> 0(bytes), 0(packets)
>>> add 2015-05-18 22:46:17 use -
>>> src ::/0 dst ::/0 uid 0
>>> dir 4 action allow index 2028 priority 0 ptype main share any flag
>>> (0x00000000)
>>> lifetime config:
>>> limit: soft 0(bytes), hard 0(bytes)
>>> limit: soft 0(packets), hard 0(packets)
>>> expire add: soft 0(sec), hard 0(sec)
>>> expire use: soft 0(sec), hard 0(sec)
>>> lifetime current:
>>> 0(bytes), 0(packets)
>>> add 2015-05-18 22:46:17 use -
>>> src ::/0 dst ::/0 uid 0
>>> dir 3 action allow index 2019 priority 0 ptype main share any flag
>>> (0x00000000)
>>> lifetime config:
>>> limit: soft 0(bytes), hard 0(bytes)
>>> limit: soft 0(packets), hard 0(packets)
>>> expire add: soft 0(sec), hard 0(sec)
>>> expire use: soft 0(sec), hard 0(sec)
>>> lifetime current:
>>> 0(bytes), 0(packets)
>>> add 2015-05-18 22:46:17 use -
>>> src ::/0 dst ::/0 uid 0
>>> dir 4 action allow index 2012 priority 0 ptype main share any flag
>>> (0x00000000)
>>> lifetime config:
>>> limit: soft 0(bytes), hard 0(bytes)
>>> limit: soft 0(packets), hard 0(packets)
>>> expire add: soft 0(sec), hard 0(sec)
>>> expire use: soft 0(sec), hard 0(sec)
>>> lifetime current:
>>> 0(bytes), 0(packets)
>>> add 2015-05-18 22:46:17 use -
>>>
>>> Output at startup:
>>> May 19 15:46:16 client-138-01 charon: 00[DMN] Starting IKE charon
>>> daemon (strongSwan 5.3.0, Linux 2.6.32-279.el6.x86_64, x86_64)
>>> May 19 15:46:16 client-138-01 charon: 00[CFG] no RADIUS secret defined
>>> May 19 15:46:16 client-138-01 charon: 00[CFG] loading ca certificates
>>> from '<path to cert>'
>>> May 19 15:46:16 client-138-01 charon: 00[CFG] loaded ca certificate
>>> "C=US, ST=California, L=San Jose, O=o, OU=SBG-SCO, CN=Cisco" from
>>> '<path to cert>'
>>> May 19 15:46:16 client-138-01 charon: 00[CFG] ca certificate "CN=cn,
>>> O=o" lacks ca basic constraint, discarded
>>> May 19 15:46:16 client-138-01 charon: 00[CFG] loaded ca certificate
>>> "C=US, ST=California, L=San Jose, O=o, OU=SBG-SCO, CN=Cisco" from
>>> '<path to cert>'
>>> May 19 15:46:16 client-138-01 charon: 00[CFG] ca certificate
>>> "CN=172.16.1.2, O=o" lacks ca basic constraint, discarded
>>> May 19 15:46:16 client-138-01 charon: 00[CFG] loaded ca certificate
>>> "C=US, ST=California, L=San Jose, O=o, OU=SBG-SCO, CN=Cisco" from
>>> '<path to cert>'
>>> May 19 15:46:16 client-138-01 charon: 00[CFG] loaded ca certificate
>>> "C=US, ST=California, L=San Jose, O=o, OU=SBG-SCO, CN=Cisco" from
>>> '<path to cert>'
>>> May 19 15:46:16 client-138-01 charon: 00[CFG] loading aa certificates
>>> from '<path to cert>'
>>> May 19 15:46:16 client-138-01 charon: 00[CFG] loading ocsp signer
>>> certificates from '<path to cert>'
>>> May 19 15:46:16 client-138-01 charon: 00[CFG] loading attribute
>>> certificates from '<path to cert>'
>>> May 19 15:46:16 client-138-01 charon: 00[CFG] loading crls from '<path to crl>'
>>> May 19 15:46:16 client-138-01 charon: 00[CFG] loading secrets from
>>> '/etc/ipsec.secrets'
>>> May 19 15:46:16 client-138-01 charon: 00[CFG] loaded EAP secret for
>>> 9PZ0FWZ53LB::ISR::15.5(20150320:193940)::20
>>> May 19 15:46:16 client-138-01 charon: 00[LIB] loaded plugins: charon
>>> aes eap-gtc eap-radius des rc2 sha1 sha2 md5 random nonce x509
>>> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
>>> sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve
>>> socket-default stroke updown eap-identity eap-tls xauth-generic
>>> May 19 15:46:16 client-138-01 charon: 00[JOB] spawning 16 worker threads
>>> May 19 15:46:16 client-138-01 charon: 05[CFG] received stroke: add
>>> connection 'router1'
>>> May 19 15:46:16 client-138-01 charon: 05[CFG] loaded certificate
>>> "CN=cn, O=o" from '<path to cert>'
>>> May 19 15:46:16 client-138-01 charon: 05[CFG] added configuration 'router1'
>>> May 19 15:46:16 client-138-01 charon: 07[CFG] received stroke: add
>>> connection 'router3'
>>> May 19 15:46:16 client-138-01 charon: 07[CFG] loaded certificate
>>> "CN=cn, O=o" from '<path to cert>'
>>> May 19 15:46:16 client-138-01 charon: 07[CFG] added configuration 'router3'
>>> May 19 15:46:16 client-138-01 charon: 09[CFG] received stroke: add
>>> connection 'router2'
>>> May 19 15:46:16 client-138-01 charon: 09[CFG] loaded certificate
>>> "CN=cn, O=o" from '<path to cert>'
>>> May 19 15:46:16 client-138-01 charon: 09[CFG] added configuration 'router2'
>>>
>>>
>>>
>>> On Tue, May 19, 2015 at 10:08 AM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>>>>
>>> Hello Justin,
>>>
>>> I have the following questions:
>>>
>>> What strongSwan version do you use?
>>> What kernel version do you use?
>>> What is the output of "ipsec statusall", when both tunnels are up?
>>> What is the output of "ip -s xfrm policy"?
>>> Do you have a log of the start of strongswan, so we can see if the parser picks it up?
>>>
>>> Also, please only set mark_out.
>>> Otherwise, you also have to apply the mark in *mangle INPUT (or PREROUTING),
>>> so the kernel decapsulates the packets.
>>>
>>> It seems as the kernel either does know mark values as part of XFRM policies
>>> or the parser does not pick it up.
>>>
>>> Mit freundlichen Grüßen/Kind Regards,
>>> Noel Kuntze
>>>
>>> GPG Key ID: 0x63EC6658
>>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
>>>
>>> Am 19.05.2015 um 16:34 schrieb Justin Michael Schwartzbeck:
>>> >>> Hello,
>>> >>>
>>> >>> I was following another thread where it was explained how to use the
>>> >>> iptables MARK target in order to select which tunnel to send traffic
>>> >>> through when I have multiple tunnels up on a peer. It was said that if
>>> >>> you set the "mark" value in ipsec.conf for each tunnel, then you can
>>> >>> mark your traffic using iptables and it will go through the tunnel
>>> >>> that has the same mark. I will describe here my situation and then
>>> >>> show you my configuration.
>>> >>>
>>> >>> I have three machines, two routers and one client. On the client I am
>>> >>> using strongswan as the vpn client. When I start strongswan I am able
>>> >>> to connect to both router1 and router2 over vpn using strongswan. On
>>> >>> my client I have router1 configured with "mark=12" and router2
>>> >>> configured with "mark=13." I use iptables to mark all outgoing tcp
>>> >>> traffic with either 12 or 13. However, when I send traffic, say HTTP
>>> >>> traffic, then all of the traffic is just routed through the last
>>> >>> tunnel that I brought up (i.e. if I bring up router1 and then router2,
>>> >>> then it is routed through router2, and vice versa). It is like the
>>> >>> connection marking is not even being recognized.
>>> >>>
>>> >>> Here is my configuration:
>>> >>>
>>> >>> conn router1
>>> >>> keyexchange=ikev2
>>> >>> ike=3des-md5-modp1024
>>> >>> esp=aes256-sha
>>> >>> left=192.168.1.9
>>> >>> leftid=%any
>>> >>> leftauth=eap-gtc
>>> >>> rightcert=<path to cert>
>>> >>> right=192.168.1.2
>>> >>> rightsubnet=80.254.145.88/32
>>> >>> eap_identity=<eap identity 1>
>>> >>> mark=12
>>> >>> auto=add
>>> >>> type=tunnel
>>> >>>
>>> >>> conn router2
>>> >>> keyexchange=ikev2
>>> >>> ike=3des-md5-modp1024
>>> >>> esp=aes256-sha
>>> >>> left=192.168.1.9
>>> >>> leftid=%any
>>> >>> leftauth=eap-gtc
>>> >>> rightcert=<path to cert>
>>> >>> right=192.168.1.3
>>> >>> rightsubnet=80.254.145.88/32
>>> >>> eap_identity=<eap identity 2>
>>> >>> mark=13
>>> >>> auto=add
>>> >>> type=tunnel
>>> >>>
>>> >>> Here are the iptables commands I am using. For router 1:
>>> >>> iptables -t mangle -A OUTPUT -j MARK --set-mark 12
>>> >>>
>>> >>> And for router 2:
>>> >>> iptables -t mangle -A OUTPUT -j MARK --set-mark 13
>>> >>>
>>> >>> Any help would be appreciated.
>>> >>> Thanks,
>>> >>> Justin
>>> >>> _______________________________________________
>>> >>> Users mailing list
>>> >>> Users at lists.strongswan.org
>>> >>> https://lists.strongswan.org/mailman/listinfo/users
>>>
>>>>
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v2
>>
>> iQIcBAEBCAAGBQJVW2AQAAoJEDg5KY9j7GZYtGoP/1ce+at0tTLi4eTyKv9Imfl1
>> qfTY+77f9zRMeTioJ75hdPx1XUYXi6WGBTMOOqc5fK/Ng790wfCrHyi3HSKZARIu
>> 5zqbOv9W4YU6i7nGIvAadwGDF9ZzhwbT8HmaIMvqySisFgmFy6C9nuFKJde4pTCw
>> CM+m2u5gPF0hfImvaaDhmPa747vfGP1TzvMbXvrSbQ1RCor5H4TIHypMaSYqiKbd
>> uAYEjve6siO3Bx97tarl71QxoYFGEsRBB5R3IgDYTtosxzdwxZG5JZcG2T8pXlAH
>> PPmAjni5lvsmG7ST++eqgdG5O/Icfsf5/hVJSOEClhZAnYxTYFkQhLJ8hfHzYB4V
>> COsNr6C+X8gkJbU0geyjGa9F4xEa9Q36a/sQeffAJEnj4g4vLD9iRsXLmJZiefJ9
>> vRnIojhSH9yBYZWI4CaH+aKg2cUEuJNM8vDUd+D3XVmIBut6qdYkf6FJFJ7EnuY0
>> aCoiWv4jIBUb1sNuLVO8h7KM2NWJN3PkMYo4GtfYD2wP+B3JWRkS9dzyFUIgPo9J
>> X1Y3sucEeoEQSekU7WzMotmHpVJ23MfaGcZn6kt9V8cdZqCf52iDA8h4B+Vaq2Wq
>> dWld9HwEu5sJIbIx4BFL9i58kg60fu1ODNbddtiomNelIZwtMt3ygZl9/pYj/E2N
>> d0nCr4cEDbE/M9unJFCs
>> =B2x0
>> -----END PGP SIGNATURE-----
>>
More information about the Users
mailing list