[strongSwan] Confusion about how to set connmark on port forward

[Tim Kent]

Hi everyone,

I am testing this scenario:

  client       server running strongwan
(59.1.2.3)-------(eth0: 128.4.5.6)          nameserver
                 (br0: 192.168.4.1)-------(192.168.4.70)

I have a transport mode connection set up between client and server, which
is working fine.

I'm trying to offer DNS (and some other services) to the client as if
it/they were on the server by adding a port forward to the nameserver (you
can see the rules below). This also all works fine unless I try to use the
connmark module by adding the "mark=%unique" line to ipsec.conf.

Unfortunately I have many clients behind the same NAT IP, so connmark is
essential. I'm also unable to change to tunnel mode on the client side.

With connmark enabled, the DNS reply goes out in the clear I assume because
the connection isn't marked. Here are the packets seen from the server:

$ sudo tcpdump -i eth0 -n not port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
01:32:05.900835 IP 59.1.2.3.63606 > 128.4.5.6.4500: UDP-encap:
ESP(spi=0xc842f7db,seq=0x1), length 100
01:32:05.902598 IP 128.4.5.6.53 > 59.1.2.3.63570: 5* 1/0/0 A 192.168.4.70
(55)

$ sudo tcpdump -i br0 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 262144 bytes
01:31:29.852824 IP 59.1.2.3.63568 > 192.168.4.70.53: 3+ A?
internal.host.name. (39)
01:31:29.854755 IP 192.168.4.70.53 > 59.1.2.3.63568: 3* 1/0/0 A
192.168.4.70 (55)

With connmark disabled you only see UDP encapsulated ESP traffic on eth0,
no reply in the clear.

Has anyone got any ideas of how this traffic could be correctly marked so
it goes out the right SA?

Here is some relevant info:

$ cat /etc/ipsec.conf
config setup
      uniqueids = no

conn %default
      leftfirewall=yes

conn test
      auto=add
      mark=%unique
      type=transport
      left=128.199.94.245
      leftcert=peerCert.der
      right=%any
      rightid="C=CH, O=strongSwan, CN=test"

$ sudo iptables -L -n -t mangle -v
Chain PREROUTING (policy ACCEPT 13 packets, 1064 bytes)
 pkts bytes target     prot opt in     out     source
destination
    2   256 MARK       udp  --  *      *       59.1.2.3
128.4.5.6            udp spt:63606 dpt:4500 MARK set 0x9

Chain INPUT (policy ACCEPT 9 packets, 780 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 CONNMARK   all  --  *      *       59.1.2.3
128.4.5.6            policy match dir in pol ipsec spi 0xf1a6d7c2 CONNMARK
set 0x9

Chain FORWARD (policy ACCEPT 4 packets, 284 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 4 packets, 352 bytes)
 pkts bytes target     prot opt in     out     source
destination
    0     0 CONNMARK   all  --  *      *       128.4.5.6
 59.1.2.3             mark match 0x0 CONNMARK restore

Chain POSTROUTING (policy ACCEPT 8 packets, 636 bytes)
 pkts bytes target     prot opt in     out     source
destination

$ sudo iptables -L -n -t nat -v
Chain PREROUTING (policy ACCEPT 466 packets, 54764 bytes)
 pkts bytes target     prot opt in     out     source
destination
   16  1172 DNAT       udp  --  eth0   *       0.0.0.0/0
 128.4.5.6            udp dpt:53 policy match dir in pol ipsec
to:192.168.4.70

Chain INPUT (policy ACCEPT 1 packets, 340 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 4 packets, 304 bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain POSTROUTING (policy ACCEPT 16 packets, 1172 bytes)
 pkts bytes target     prot opt in     out     source
destination
   76  5242 MASQUERADE  all  --  *      eth0    0.0.0.0/0
0.0.0.0/0

Cheers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20161027/a3030f66/attachment-0001.html>