[strongSwan] Help with IPtables marking

Dusan Ilic dusan at comhem.se
Tue Aug 22 16:09:00 CEST 2017 

No one?

I also found below when googling

Summary:
For marks to work correctly, you need to:
*Mark esp packets or espinudp packets in *mangle PREROUTING or *mangle 
INPUT.
*Mark traffic that is just forwarded on the box in *mangle POSTROUTING
*Mark traffic that originates from the box in *mangle OUTPUT

This doesnt seem completely right on my gateway. For instance traffic 
originating from the gateway both mangle OUTPUT and POSTROUTING is 
needing the MARK target, and for forwarding traffic from other clients 
mangle PREROUTING is needed (both for the ESP/ESPINUDP packets from the 
peer and for the local subnets that are forwarded). mangle FORWARD 
doesn't seem to have any effect at all.
However, ,I seem to have problems to make this work with a 0.0.0.0/0 == 
0.0.0.0/0 TS, as long as leftsubnet is ie 10.1.1.0/26 it works (one of 
local subnets), but as I change to 0.0.0.0/0 it stops working (only the 
actual gateway can get through traffic then). I don't really seem to 
understand why though...


Den 2017-08-20 kl. 12:16, skrev Dusan Ilic:
> This works when pinging between clients
>
> TS 10.1.1.0/26 == 10.0.0.0/24 [mark=10]
> TS 10.1.1.0/26 == 0.0.0.0/0 [mark=10]
>
> This doesnt work when picking between clients
>
> TS 0.0.0.0/0 == 0.0.0.0/0 [mark=10]
>
> Below is the IPtable-rules
>
> iptables -t mangle -A PREROUTING -i vlan847 -p udp --sport 4500 -s 
> x.x.x.x -d x.x.x.x -j MARK --set-mark 10
> iptables -t mangle -A PREROUTING -i br0 -s 10.1.1.0/26 -d 10.0.0.0/24 
> -j MARK --set-mark 10
> iptables -t mangle -A OUTPUT -o vlan847 -s 10.1.1.0/26 -d 10.0.0.0/24 
> -j MARK --set-mark 10
> iptables -t mangle -A POSTROUTING -o vlan847 -s 10.1.1.0/26 -d 
> 10.0.0.0/24 -m policy --dir out --pol ipsec --proto esp -j MARK 
> --set-mark 10
>
> It seems like it work as long the local TS is not leftsubnet= 0.0.0.0/0.
> Do anyone know why?
> Pinging between the IP-sec gateways work in each scenarios.
>
>
> Den 2017-08-19 kl. 03:30, skrev Dusan Ilic:
>>
>> Some updates, if I change the tunnel that is not working from 0.0.0.0 
>> == 10.0.0.0/24 to 10.1.1.0/26 == 10.0.0.0/24 all starts working, 
>> together with the 0.0.0.0 tunnel and also the pings from the clients 
>> work. I feel like I'm doing something wrong?
>> I would like leftsubnet to be 0.0.0.0, so that I can mark whatever 
>> local network I want to route through that tunnel to 10.0.0.0/24, and 
>> also at the 10.0.0.0/24 network there is a VTI setup with TS 
>> 0.0.0.0/0 == 0.0.0.0/0, if I change leftsubnet on this side to 
>> 10.1.1.0/26 that won't work from the other side.
>>
>> So why does it interfere with one tunnel 0.0.0.0/0 == 0.0.0.0/0 
>> [mark=10] and another tunnel 10.1.1.10/26 == 0.0.0.0/0 without any 
>> marks?
>>
>>
>> Den 2017-08-19 kl. 03:01, skrev Dusan Ilic:
>>> Hi!
>>>
>>> I'm trying out some things and have two problems.
>>>
>>> 1. I'm having "mark=10" in the connection definition in ipsec.conf, 
>>> and left/right 0.0.0.0/0. With below IPtables rules I can ping from 
>>> the two IPsec gateways, but I cannot ping from other clients behind 
>>> the gateways or from the gatways to client behind the other gateway.
>>>
>>> iptables -t mangle -A PREROUTING -i vlan847 -p udp --sport 4500 -s 
>>> x.x.x.x -d x.x.x.x -j MARK --set-mark 10
>>> iptables -t mangle -A OUTPUT -o vlan847 -s 10.1.1.0/26 -d 
>>> 10.0.0.0/24 -j MARK --set-mark 10
>>> iptables -t mangle -A  FORWARD -i br0 -o vlan847 -s 10.1.1.0/26 -d 
>>> 10.0.0.0/24 -j MARK --set-mark 10
>>> iptables -t mangle -A  FORWARD -o br0 -i vlan847 -d 10.1.1.0/26 -s 
>>> 10.0.0.0/24 -j MARK --set-mark 10
>>> iptables -t mangle -A POSTROUTING -o vlan847 -s 10.1.1.0/26 -d 
>>> 10.0.0.0/24 -m policy --dir out --pol ipsec --proto esp -j MARK 
>>> --set-mark 10
>>>
>>> Reference: 
>>> https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN#Marks-on-Linux
>>>
>>> Maybe you see what I'm doing wrong?
>>>
>>> 2. I have a couple of tunnels active, one of which have 
>>> rightsubnet=0.0.0.0. So i'm sending all internet traffic from one 
>>> gateway to another, but when I'm doing this one other specific 
>>> tunnel stops responding. When I disable the 0.0.0.0 tunnel, it 
>>> starts responding. It's like that specific tunnels rightsubnet is 
>>> ignored and going through the 0.0.0.0 tunnel, while other active 
>>> tunnels work.
>>> The only special thing about the tunnel that doesnt work is that its 
>>> a VTI on the other endpoint, and on the local side the TS is 
>>> 0.0.0.0/0 == 10.0.0.0/24, while the other tunnels are 10.1.1.0/26 == 
>>> [some other subnet]. So when the 0.0.0.0 tunnel is enabled, pings to 
>>> 10.0.0.0/24 network times out, but the work to other subnets, and 
>>> when I disable the 0.0.0.0 tunnel the pings starts working again.
>>> Any ideas?
>>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170822/03197ca9/attachment.html>

More information about the Users mailing list