[strongSwan] Help with IPtables marking

Dusan Ilic dusan at comhem.se
Sat Aug 19 03:30:21 CEST 2017 

Some updates, if I change the tunnel that is not working from 0.0.0.0 == 
10.0.0.0/24 to 10.1.1.0/26 == 10.0.0.0/24 all starts working, together 
with the 0.0.0.0 tunnel and also the pings from the clients work. I feel 
like I'm doing something wrong?
I would like leftsubnet to be 0.0.0.0, so that I can mark whatever local 
network I want to route through that tunnel to 10.0.0.0/24, and also at 
the 10.0.0.0/24 network there is a VTI setup with TS 0.0.0.0/0 == 
0.0.0.0/0, if I change leftsubnet on this side to 10.1.1.0/26 that won't 
work from the other side.

So why does it interfere with one tunnel 0.0.0.0/0 == 0.0.0.0/0 
[mark=10] and another tunnel 10.1.1.10/26 == 0.0.0.0/0 without any marks?


Den 2017-08-19 kl. 03:01, skrev Dusan Ilic:
> Hi!
>
> I'm trying out some things and have two problems.
>
> 1. I'm having "mark=10" in the connection definition in ipsec.conf, 
> and left/right 0.0.0.0/0. With below IPtables rules I can ping from 
> the two IPsec gateways, but I cannot ping from other clients behind 
> the gateways or from the gatways to client behind the other gateway.
>
> iptables -t mangle -A PREROUTING -i vlan847 -p udp --sport 4500 -s 
> x.x.x.x -d x.x.x.x -j MARK --set-mark 10
> iptables -t mangle -A OUTPUT -o vlan847 -s 10.1.1.0/26 -d 10.0.0.0/24 
> -j MARK --set-mark 10
> iptables -t mangle -A  FORWARD -i br0 -o vlan847 -s 10.1.1.0/26 -d 
> 10.0.0.0/24 -j MARK --set-mark 10
> iptables -t mangle -A  FORWARD -o br0 -i vlan847 -d 10.1.1.0/26 -s 
> 10.0.0.0/24 -j MARK --set-mark 10
> iptables -t mangle -A POSTROUTING -o vlan847 -s 10.1.1.0/26 -d 
> 10.0.0.0/24 -m policy --dir out --pol ipsec --proto esp -j MARK 
> --set-mark 10
>
> Reference: 
> https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN#Marks-on-Linux
>
> Maybe you see what I'm doing wrong?
>
> 2. I have a couple of tunnels active, one of which have 
> rightsubnet=0.0.0.0. So i'm sending all internet traffic from one 
> gateway to another, but when I'm doing this one other specific tunnel 
> stops responding. When I disable the 0.0.0.0 tunnel, it starts 
> responding. It's like that specific tunnels rightsubnet is ignored and 
> going through the 0.0.0.0 tunnel, while other active tunnels work.
> The only special thing about the tunnel that doesnt work is that its a 
> VTI on the other endpoint, and on the local side the TS is 0.0.0.0/0 
> == 10.0.0.0/24, while the other tunnels are 10.1.1.0/26 == [some other 
> subnet]. So when the 0.0.0.0 tunnel is enabled, pings to 10.0.0.0/24 
> network times out, but the work to other subnets, and when I disable 
> the 0.0.0.0 tunnel the pings starts working again.
> Any ideas?
>

More information about the Users mailing list