[strongSwan] Route-based VPNs, VTIs and unique mark per customer

Oleksandr Yermolenko aae at sumix.com
Sun Jan 29 16:53:16 CET 2017 

just upgraded the server to 5.5.2dr4 (previous 5.4.0) and back working 
those 97% customers with mark=%unique

I guess [1] is related ...

much better for me ...

but the main problem still exists: Customers can't share the same subnet 
with mark=%unique too

(static [2] entries are not possible)


[1] https://wiki.strongswan.org/issues/1497

[2] https://strongswan.org/testresults4.html


BR
Oleksandr Yermolenko


On 01/28/2017 01:06 PM, Oleksandr Yermolenko wrote:
> a few additional details:
> just playing with mark option:
> ########## ipsec.conf ###############################
> conn customers
>     mark=42
> #    mark=%unique
> working 97% of customers ... instead of those who share the same subnet
> #########################################
> conn customers
> #    mark=42
>     mark=%unique
>
> nobody works at all. Does plugin "connmark" not compatible for my 
> environment or I have missed something?
>
> BR
> Oleksandr Yermolenko
>
>
> ip -s xfrm policy | grep mark
>     mark 97/0xffffffff
> .... I can see mark's ID from 97 to 1
>     mark 1/0xffffffff
>
> ip -s xfrm policy
> src 10.50.254.58/32 dst 10.50.3.167/32 proto tcp dport 8080 uid 0
>     dir fwd action allow index 2231778 priority 2816 ptype main share 
> any flag  (0x00000000)
>     lifetime config:
>       limit: soft (INF)(bytes), hard (INF)(bytes)
>       limit: soft (INF)(packets), hard (INF)(packets)
>       expire add: soft 0(sec), hard 0(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2017-01-28 05:08:58 use -
>     mark 97/0xffffffff
>     tmpl src XX.XX.98.33 dst X.X.130.56
>         proto esp spi 0x00000000(0) reqid 98(0x00000062) mode tunnel
>         level required share any
>         enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
> src 10.50.254.58/32 dst 10.50.3.167/32 proto tcp dport 8080 uid 0
>     dir in action allow index 2231768 priority 2816 ptype main share 
> any flag  (0x00000000)
>     lifetime config:
>       limit: soft (INF)(bytes), hard (INF)(bytes)
>       limit: soft (INF)(packets), hard (INF)(packets)
>       expire add: soft 0(sec), hard 0(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2017-01-28 05:08:58 use -
>     mark 97/0xffffffff
>     tmpl src XX.XX.98.33 dst X.X.130.56
>         proto esp spi 0x00000000(0) reqid 98(0x00000062) mode tunnel
>         level required share any
>         enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
> src 10.50.3.167/32 dst 10.50.254.58/32 proto tcp sport 8080 uid 0
>     dir out action allow index 2231761 priority 2816 ptype main share 
> any flag  (0x00000000)
>     lifetime config:
>       limit: soft (INF)(bytes), hard (INF)(bytes)
>       limit: soft (INF)(packets), hard (INF)(packets)
>       expire add: soft 0(sec), hard 0(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2017-01-28 05:08:58 use -
>     mark 97/0xffffffff
>     tmpl src X.X.130.56 dst XX.XX.98.33
>         proto esp spi 0x00000000(0) reqid 98(0x00000062) mode tunnel
>         level required share any
>         enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
> src 10.50.254.58/32 dst 10.50.3.157/32 uid 0
>     dir fwd action allow index 2231754 priority 2819 ptype main share 
> any flag  (0x00000000)
>     lifetime config:
>       limit: soft (INF)(bytes), hard (INF)(bytes)
>       limit: soft (INF)(packets), hard (INF)(packets)
>       expire add: soft 0(sec), hard 0(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2017-01-28 05:08:58 use -
>     mark 97/0xffffffff
>     tmpl src XX.XX.98.33 dst X.X.130.56
>         proto esp spi 0x00000000(0) reqid 98(0x00000062) mode tunnel
>         level required share any
>         enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
> src 10.50.254.58/32 dst 10.50.3.157/32 uid 0
>     dir in action allow index 2231744 priority 2819 ptype main share 
> any flag  (0x00000000)
>     lifetime config:
>       limit: soft (INF)(bytes), hard (INF)(bytes)
>       limit: soft (INF)(packets), hard (INF)(packets)
>       expire add: soft 0(sec), hard 0(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2017-01-28 05:08:58 use -
>     mark 97/0xffffffff
>     tmpl src XX.XX.98.33 dst X.X.130.56
>         proto esp spi 0x00000000(0) reqid 98(0x00000062) mode tunnel
>         level required share any
>         enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
> src 10.50.3.157/32 dst 10.50.254.58/32 uid 0
>     dir out action allow index 2231737 priority 2819 ptype main share 
> any flag  (0x00000000)
>     lifetime config:
>       limit: soft (INF)(bytes), hard (INF)(bytes)
>       limit: soft (INF)(packets), hard (INF)(packets)
>       expire add: soft 0(sec), hard 0(sec)
>       expire use: soft 0(sec), hard 0(sec)
>     lifetime current:
>       0(bytes), 0(packets)
>       add 2017-01-28 05:08:58 use -
>     mark 97/0xffffffff
>     tmpl src X.X.130.56 dst XX.XX.98.33
>         proto esp spi 0x00000000(0) reqid 98(0x00000062) mode tunnel
>         level required share any
>         enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
> #########################################
>
>
>
> On 01/23/2017 12:49 PM, Oleksandr Yermolenko wrote:
>>
>> Hi,
>>
>> VTI-configured servers (OS CentOS7 updated) according to 
>> https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN. 
>> It works.
>>
>> Pure IPSec. (without L2TPs)
>>
>>
>> But periodically customers (dynamic) possess the same subnet.
>>
>> There is another guide 
>> https://strongswan.org/testing/testresults4/ikev2/nat-two-rw-mark/index.html 
>>
>>
>> It's not convenient for me this static solution (customers now 
>> approximately 15 and names can be changed).
>>
>>
>> Tried to follow 
>> https://wiki.strongswan.org/projects/strongswan/wiki/Connmark ... 
>> recompile with --enable-connmark
>>
>> Very simple implementation ... but for unknown for me reasons it has 
>> not worked out.
>>
>> Tried standard CentOS7 (3.10.0-514.6.1.el7.x86_64) kernel and 
>> 4.9.5-1.el7.elrepo.x86_64 keeping in mind that
>>
>> "/*Disclaimer:* VTI devices are supported since the Linux 3.6 kernel, 
>> but some important changes were added later (3.15+). The information 
>> below might not be accurate for older kernel versions./"
>>
>>
>> The question: may someone knows the way how to configure marks "on 
>> fly",  per customer.
>>
>>
>> -- 
>>
>> Best regards
>>
>> Oleksandr
>>
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
>
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170129/5da13a1e/attachment.html>

More information about the Users mailing list