[strongSwan] mark is only set in one way
Gilles Printemps
gprintemps at gmail.com
Sun Nov 11 10:09:48 CET 2018
Hi,
Several months ago, I tried to setup Strongswan as client for a connection
to a VPN server using VTI without any success (unlike with OpenVPN). I'm
now restarting again this task from the beginning in order to use only
Strongswan as client and server.
My first questions are related to the keyword "mark". What's the behaviour
of Strongswan if the conn mark plugin is enabled, but the is not set to
transport?
Is it normal that the flag is only set in one way?
Thanks for help...
result of sudo ip xfrm state:
src 10.211.55.26 dst 46.166.179.50
proto esp spi 0xce5f4fa3 reqid 1 mode tunnel
replay-window 0 flag af-unspec
mark 0x2/0xffffffff
auth-trunc hmac(sha512)
0x935928d1affa6c98af5f81d2aba45614cb6ee966bcb75fe51eb1f8110886fd7315ea9ac1c6b621e1deb20ee81b08b23a63870085364e6ad8c29f3d1fcdc79abf
256
enc cbc(aes)
0xac8aa7382eb1278c2e5cdaf04ca1850716859ed23e3bed87f410d78013d76949
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 46.166.179.50 dst 10.211.55.26
proto esp spi 0xc592d4be reqid 1 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha512)
0x117520099367715a781b88662055f1151b5b4ffb319b6d5d986c442f1fadcc7f93a83a54324ba4c01b13101440464adc159b44e4c32968aa7480763503ad1a2f
256
enc cbc(aes)
0x6eeb81a67c539685af3216523615a940aa756b76ffbd57434a573d3ac838b3e4
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
etc/ipsec.conf
config setup
charondebug="ike 2, knl 3, cfg 0"
conn VPNInterface
mark=2
keyexchange=ike
dpdaction=clear
dpddelay=300s
eap_identity=<username>
leftupdown=/etc/ipsec.vti.sh
leftauth=eap-mschapv2
left=%defaultroute
leftsourceip=%config
right=<VPN server name>
rightauth=pubkey
rightsubnet=0.0.0.0/0
rightid=%any
auto=add
/etc/ipsec.vti.sh
#!/bin/bash
set -o nounset
set -o errexit
STD_IF="enp0s5"
VTI_IF="vpn${PLUTO_UNIQUEID}"
case "${PLUTO_VERB}" in
up-client)
ip tunnel add "${VTI_IF}" local "${PLUTO_ME}" remote
"${PLUTO_PEER}" mode vti \
okey "${PLUTO_MARK_OUT%%/*}" ikey "${PLUTO_MARK_IN%%/*}"
ip addr add "${PLUTO_MY_SOURCEIP}" dev "${VTI_IF}"
sysctl -w "net.ipv4.conf.${VTI_IF}.disable_policy=1"
ip link set "${VTI_IF}" up
sysctl -w "net.ipv4.conf.all.rp_filter=2"
sysctl -w "net.ipv4.conf.default.rp_filter=2"
sysctl -w "net.ipv4.conf.${STD_IF}.rp_filter=2"
;;
down-client)
ip tunnel del "${VTI_IF}"
;;
esac
Extract after starting the interface...
sending packet: from 10.211.55.26[4500] to 46.166.179.50[4500] (160 bytes)
received packet: from 46.166.179.50[4500] to 10.211.55.26[4500] (336 bytes)
parsed IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(AUTH_LFT)
N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
authentication of 'C=MY, ST=Wilayah Persekutuan, L=Labuan, O=eVenture
Limited, CN=*.hide.me' with EAP successful
IKE_SA VPNInterface[1] established between
10.211.55.26[10.211.55.26]...46.166.179.50[C=MY, ST=Wilayah Persekutuan,
L=Labuan, O=eVenture Limited, CN=*.hide.me]
scheduling reauthentication in 9773s
maximum IKE_SA lifetime 10313s
installing DNS server 46.166.179.49 via resolvconf
installing DNS server 46.166.179.51 via resolvconf
installing new virtual IP 10.3.142.180
selected proposal: ESP:AES_CBC_256/HMAC_SHA2_512_256/NO_EXT_SEQ
CHILD_SA VPNInterface{1} established with SPIs c592d4be_i ce5f4fa3_o and TS
10.3.142.180/32 === 0.0.0.0/0
updown: net.ipv4.conf.vpn1.disable_policy = 1
updown: net.ipv4.conf.all.rp_filter = 2
updown: net.ipv4.conf.default.rp_filter = 2
updown: net.ipv4.conf.enp0s5.rp_filter = 2
received AUTH_LIFETIME of 86400s, reauthentication already scheduled in
9773s
peer supports MOBIKE
connection 'VPNInterface' established successfully
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20181111/c8aeab9d/attachment-0001.html>
More information about the Users
mailing list