[strongSwan] second connection from the same machine fails

Naveen Neelakanta naveen.b.neelakanta at gmail.com
Fri Mar 2 18:42:05 CET 2018


Thanks Tobias,

I changed the marking for the connections to be unique and changed also
added mark_in.
Now i see that ssh issue is also resolved , but need to get the return
tarffic routed to vti interface based on the marking.

Regards,
Naveen


On Fri, Mar 2, 2018 at 12:54 AM, Tobias Brunner <tobias at strongswan.org>
wrote:

> Hi Naveen,
>
> > 1) The second connection with the below configuration fails .
>
> The log message tells you why.  The policies of the two connections
> conflict.  While you don't get that error message with newer strongSwan
> releases (>= 5.3.0) it would not work properly as you'd still have two
> connections using the same policies.
>
> >         mark_out=32
>
> Why did you only set mark_out?  As you can see in the log this causes
> conflicts for the in/fwd policies:
>
> > unable to install policy 0.0.0.0/0 === 0.0.0.0/0 in for reqid 2, the
> same policy for reqid 1 exists
> > unable to install policy 0.0.0.0/0 === 0.0.0.0/0 fwd for reqid 2, the
> same policy for reqid 1 exists
>
>
> > 2)  I intend to use marking as selector using VTI interface , i see that
> > the packet gets encrypted and leave the machine, however my intention is
> > identify return traffic after decryption to be marked with the same
> > marking, so that i can route based on the marked packet to a specific
> > interface, but i see that the inbound SA does not have the mark and the
> > policy drops the return traffic .
>
> There are two aspects to this: 1) if you don't set mark_in (or just
> mark) how do you expect marks to be on the inbound policies and SAs?
> 2) with recent releases (>= 5.5.2) no mark is actually set on the
> inbound SA (unless explicitly requested, which is possible since 5.6.1
> via swanctl.conf), but only on the inbound policies, specifically to
> allow marking packets after decryption.
>
> > How can i get the return traffic to be marked so that there is no policy
> > mismatch.
>
> Mark the traffic via iptables (before or after decryption).
>
> > 3) When i bring up the tunnel with the leftsubnet any and rightsubnet
> > any , i lose ssh access, i have disabled route install from strongswan
> > configuration file .
>
> Configure passthrough/bypass policies to allow SSH traffic, or set marks
> on policies/SAs so only marked packets are processed.
>
> Regards,
> Tobias
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180302/0b27a891/attachment-0001.html>


More information about the Users mailing list