[strongSwan] XFRM Policy Lookups

Brian O'Connor vk4gtw at bigpond.com
Sun Dec 25 01:22:19 CET 2016

Further to my previous message [1] and Noel's posting at [2], the only way I could make
packet marking effective for traffic forwarded back through the VPN gateway to the VPN initiator
was to put the iptables marking rule into the PREROUTING chain of the mangle table.

Marking in the POSTROUTING chain of the mangle table did not achieve the desired result.

Also, traffic to the VPN gateway from the initiator was correctly marked in the responder my means
of the OUTPUT chain in the mangle table and sent back to the initiator.  Marking was correctly 
applied for return traffic (from what I can tell) when the marking rule was in the POSTROUTING table,
but this traffic was apparently not encrypted and returned to the initiator, based on what I 
have been able to determine using iptables and ip command counters. Obviously, marking in the
mangle table PREROUTING chain needs to allow for any reverse NAT that may subsequently be invoked in
the following nat table PREROUTING chain.

When I did away with marking packets in the VPN responder altogether, everyting behaved 
as expected for both traffic to the VPN gateway and out of the gateway. 

Strongswan is running on an Ubuntu EC2 instance in an AWS VPC, but I am not certain
this would have anything to do with what I am seeing.  Amazon can perform traffic
source and destination checks, but I think this would be in a virtual router external to and
rather than using a modified kernel image in the EC2 instance, but don't know.

What am I missing, please? 

[1] https://lists.strongswan.org/pipermail/users/2016-December/010312.html
[2] https://lists.strongswan.org/pipermail/users/2014-November/006942.html

More information about the Users mailing list