[strongSwan] Route-based VPNs, VTIs and unique mark per customer
Oleksandr Yermolenko
aae at sumix.com
Sat Jan 28 12:06:23 CET 2017
a few additional details:
just playing with mark option:
########## ipsec.conf ###############################
conn customers
mark=42
# mark=%unique
working 97% of customers ... instead of those who share the same subnet
#########################################
conn customers
# mark=42
mark=%unique
nobody works at all. Does plugin "connmark" not compatible for my
environment or I have missed something?
BR
Oleksandr Yermolenko
ip -s xfrm policy | grep mark
mark 97/0xffffffff
.... I can see mark's ID from 97 to 1
mark 1/0xffffffff
ip -s xfrm policy
src 10.50.254.58/32 dst 10.50.3.167/32 proto tcp dport 8080 uid 0
dir fwd action allow index 2231778 priority 2816 ptype main share
any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-01-28 05:08:58 use -
mark 97/0xffffffff
tmpl src XX.XX.98.33 dst X.X.130.56
proto esp spi 0x00000000(0) reqid 98(0x00000062) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.50.254.58/32 dst 10.50.3.167/32 proto tcp dport 8080 uid 0
dir in action allow index 2231768 priority 2816 ptype main share
any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-01-28 05:08:58 use -
mark 97/0xffffffff
tmpl src XX.XX.98.33 dst X.X.130.56
proto esp spi 0x00000000(0) reqid 98(0x00000062) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.50.3.167/32 dst 10.50.254.58/32 proto tcp sport 8080 uid 0
dir out action allow index 2231761 priority 2816 ptype main share
any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-01-28 05:08:58 use -
mark 97/0xffffffff
tmpl src X.X.130.56 dst XX.XX.98.33
proto esp spi 0x00000000(0) reqid 98(0x00000062) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.50.254.58/32 dst 10.50.3.157/32 uid 0
dir fwd action allow index 2231754 priority 2819 ptype main share
any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-01-28 05:08:58 use -
mark 97/0xffffffff
tmpl src XX.XX.98.33 dst X.X.130.56
proto esp spi 0x00000000(0) reqid 98(0x00000062) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.50.254.58/32 dst 10.50.3.157/32 uid 0
dir in action allow index 2231744 priority 2819 ptype main share
any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-01-28 05:08:58 use -
mark 97/0xffffffff
tmpl src XX.XX.98.33 dst X.X.130.56
proto esp spi 0x00000000(0) reqid 98(0x00000062) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.50.3.157/32 dst 10.50.254.58/32 uid 0
dir out action allow index 2231737 priority 2819 ptype main share
any flag (0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2017-01-28 05:08:58 use -
mark 97/0xffffffff
tmpl src X.X.130.56 dst XX.XX.98.33
proto esp spi 0x00000000(0) reqid 98(0x00000062) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
#########################################
On 01/23/2017 12:49 PM, Oleksandr Yermolenko wrote:
>
> Hi,
>
> VTI-configured servers (OS CentOS7 updated) according to
> https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN. It
> works.
>
> Pure IPSec. (without L2TPs)
>
>
> But periodically customers (dynamic) possess the same subnet.
>
> There is another guide
> https://strongswan.org/testing/testresults4/ikev2/nat-two-rw-mark/index.html
>
>
> It's not convenient for me this static solution (customers now
> approximately 15 and names can be changed).
>
>
> Tried to follow
> https://wiki.strongswan.org/projects/strongswan/wiki/Connmark ...
> recompile with --enable-connmark
>
> Very simple implementation ... but for unknown for me reasons it has
> not worked out.
>
> Tried standard CentOS7 (3.10.0-514.6.1.el7.x86_64) kernel and
> 4.9.5-1.el7.elrepo.x86_64 keeping in mind that
>
> "/*Disclaimer:* VTI devices are supported since the Linux 3.6 kernel,
> but some important changes were added later (3.15+). The information
> below might not be accurate for older kernel versions./"
>
>
> The question: may someone knows the way how to configure marks "on
> fly", per customer.
>
>
> --
>
> Best regards
>
> Oleksandr
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170128/256acab6/attachment.html>
More information about the Users
mailing list