[strongSwan] Help with IPtables marking
Dusan Ilic
dusan at comhem.se
Sun Aug 20 12:16:21 CEST 2017
This works when pinging between clients
TS 10.1.1.0/26 == 10.0.0.0/24 [mark=10]
TS 10.1.1.0/26 == 0.0.0.0/0 [mark=10]
This doesnt work when picking between clients
TS 0.0.0.0/0 == 0.0.0.0/0 [mark=10]
Below is the IPtable-rules
iptables -t mangle -A PREROUTING -i vlan847 -p udp --sport 4500 -s
x.x.x.x -d x.x.x.x -j MARK --set-mark 10
iptables -t mangle -A PREROUTING -i br0 -s 10.1.1.0/26 -d 10.0.0.0/24 -j
MARK --set-mark 10
iptables -t mangle -A OUTPUT -o vlan847 -s 10.1.1.0/26 -d 10.0.0.0/24 -j
MARK --set-mark 10
iptables -t mangle -A POSTROUTING -o vlan847 -s 10.1.1.0/26 -d
10.0.0.0/24 -m policy --dir out --pol ipsec --proto esp -j MARK
--set-mark 10
It seems like it work as long the local TS is not leftsubnet= 0.0.0.0/0.
Do anyone know why?
Pinging between the IP-sec gateways work in each scenarios.
Den 2017-08-19 kl. 03:30, skrev Dusan Ilic:
>
> Some updates, if I change the tunnel that is not working from 0.0.0.0
> == 10.0.0.0/24 to 10.1.1.0/26 == 10.0.0.0/24 all starts working,
> together with the 0.0.0.0 tunnel and also the pings from the clients
> work. I feel like I'm doing something wrong?
> I would like leftsubnet to be 0.0.0.0, so that I can mark whatever
> local network I want to route through that tunnel to 10.0.0.0/24, and
> also at the 10.0.0.0/24 network there is a VTI setup with TS 0.0.0.0/0
> == 0.0.0.0/0, if I change leftsubnet on this side to 10.1.1.0/26 that
> won't work from the other side.
>
> So why does it interfere with one tunnel 0.0.0.0/0 == 0.0.0.0/0
> [mark=10] and another tunnel 10.1.1.10/26 == 0.0.0.0/0 without any marks?
>
>
> Den 2017-08-19 kl. 03:01, skrev Dusan Ilic:
>> Hi!
>>
>> I'm trying out some things and have two problems.
>>
>> 1. I'm having "mark=10" in the connection definition in ipsec.conf,
>> and left/right 0.0.0.0/0. With below IPtables rules I can ping from
>> the two IPsec gateways, but I cannot ping from other clients behind
>> the gateways or from the gatways to client behind the other gateway.
>>
>> iptables -t mangle -A PREROUTING -i vlan847 -p udp --sport 4500 -s
>> x.x.x.x -d x.x.x.x -j MARK --set-mark 10
>> iptables -t mangle -A OUTPUT -o vlan847 -s 10.1.1.0/26 -d 10.0.0.0/24
>> -j MARK --set-mark 10
>> iptables -t mangle -A FORWARD -i br0 -o vlan847 -s 10.1.1.0/26 -d
>> 10.0.0.0/24 -j MARK --set-mark 10
>> iptables -t mangle -A FORWARD -o br0 -i vlan847 -d 10.1.1.0/26 -s
>> 10.0.0.0/24 -j MARK --set-mark 10
>> iptables -t mangle -A POSTROUTING -o vlan847 -s 10.1.1.0/26 -d
>> 10.0.0.0/24 -m policy --dir out --pol ipsec --proto esp -j MARK
>> --set-mark 10
>>
>> Reference:
>> https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN#Marks-on-Linux
>>
>> Maybe you see what I'm doing wrong?
>>
>> 2. I have a couple of tunnels active, one of which have
>> rightsubnet=0.0.0.0. So i'm sending all internet traffic from one
>> gateway to another, but when I'm doing this one other specific tunnel
>> stops responding. When I disable the 0.0.0.0 tunnel, it starts
>> responding. It's like that specific tunnels rightsubnet is ignored
>> and going through the 0.0.0.0 tunnel, while other active tunnels work.
>> The only special thing about the tunnel that doesnt work is that its
>> a VTI on the other endpoint, and on the local side the TS is
>> 0.0.0.0/0 == 10.0.0.0/24, while the other tunnels are 10.1.1.0/26 ==
>> [some other subnet]. So when the 0.0.0.0 tunnel is enabled, pings to
>> 10.0.0.0/24 network times out, but the work to other subnets, and
>> when I disable the 0.0.0.0 tunnel the pings starts working again.
>> Any ideas?
>>
>
More information about the Users
mailing list