[strongSwan] Help with IPtables marking
Dusan Ilic
dusan at comhem.se
Sat Aug 19 03:01:35 CEST 2017
Hi!
I'm trying out some things and have two problems.
1. I'm having "mark=10" in the connection definition in ipsec.conf, and
left/right 0.0.0.0/0. With below IPtables rules I can ping from the two
IPsec gateways, but I cannot ping from other clients behind the gateways
or from the gatways to client behind the other gateway.
iptables -t mangle -A PREROUTING -i vlan847 -p udp --sport 4500 -s
x.x.x.x -d x.x.x.x -j MARK --set-mark 10
iptables -t mangle -A OUTPUT -o vlan847 -s 10.1.1.0/26 -d 10.0.0.0/24 -j
MARK --set-mark 10
iptables -t mangle -A FORWARD -i br0 -o vlan847 -s 10.1.1.0/26 -d
10.0.0.0/24 -j MARK --set-mark 10
iptables -t mangle -A FORWARD -o br0 -i vlan847 -d 10.1.1.0/26 -s
10.0.0.0/24 -j MARK --set-mark 10
iptables -t mangle -A POSTROUTING -o vlan847 -s 10.1.1.0/26 -d
10.0.0.0/24 -m policy --dir out --pol ipsec --proto esp -j MARK
--set-mark 10
Reference:
https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN#Marks-on-Linux
Maybe you see what I'm doing wrong?
2. I have a couple of tunnels active, one of which have
rightsubnet=0.0.0.0. So i'm sending all internet traffic from one
gateway to another, but when I'm doing this one other specific tunnel
stops responding. When I disable the 0.0.0.0 tunnel, it starts
responding. It's like that specific tunnels rightsubnet is ignored and
going through the 0.0.0.0 tunnel, while other active tunnels work.
The only special thing about the tunnel that doesnt work is that its a
VTI on the other endpoint, and on the local side the TS is 0.0.0.0/0 ==
10.0.0.0/24, while the other tunnels are 10.1.1.0/26 == [some other
subnet]. So when the 0.0.0.0 tunnel is enabled, pings to 10.0.0.0/24
network times out, but the work to other subnets, and when I disable the
0.0.0.0 tunnel the pings starts working again.
Any ideas?
More information about the Users
mailing list