[strongSwan] Problem with mark_out on re-marked packets

[Felipe Arturo Polanco]

Hi,

We are facing a strange issue where if a packet is re-marked by
iptables Strongswan doesn't allow it to go out to the tunnel.

example:
myvpn1 (site to site)
mark_in = 1
mark_out = 1
local_ts = 0.0.0.0/0
remote_ts = 10.0.0.0/8

myvpn2 (site to site)
mark_in = 2
mark_out = 2
local_ts=0.0.0.0/0
remote_ts=172.16.0.0/24

The traffic is to be forwarded between myvpn1 and myvpn2: Src 10.0.0.1 dst
172.16.0.1
We mark the traffic coming from myvpn1 with :
iptables -t mangle -I PREROUTING -s a.a.a.a/32 -j MARK --set-xmark 1
a.a.a.a is the public IP of myvpn1.

That way we satisfy the condition of mark_in for myvpn1.
We see the packet coming in as the 'in' counter increases and TCPdump shows
the decapsulated packet.

We have this other rule in iptables:
iptables -t mangle -I POSTROUTING -d 172.16.0.0/24 -j MARK --set-xmark 2
With this we mark all traffic destined to 172.16.0.0/24 with a mark of 2.

The problem is that the packets remarked from 1 to 2 are not going through
the tunnel at all, the 'out' counter of myvpn2 doesn't increase.

We do see the packet being correctly remarked to '2' using Iptables trace
in the raw table.

If we change mark_out to 1 in myvpn2 and remove the set-xmark 2 from
iptables it works fine and the packet gets forwarded.

Any idea what could be the trouble in here?

Thanks,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20181022/363d1ec4/attachment.html>