subject:"Re\: \[strongSwan\] Traffic with dscp marking \(other than BE\) not going through IPsec tunnel"

Re: [strongSwan] Traffic with dscp marking (other than BE) not going through IPsec tunnel

2011-11-16 Thread Meera Sudhakar

Hi Andreas,

Ok, thanks a lot for the explanation. I had understood it the other way
round. It is now working with all DSCP values.

Thanks and regards,
Meera

On Tue, Nov 15, 2011 at 2:17 PM, Andreas Steffen <
andreas.stef...@strongswan.org> wrote:

> Hello Meera,
>
> you must differentiate between setting the DSCP value in the TOS
> field of the IP packets at the origin of the end-to-end IP route
> and marking these packets when they enter the VPN gateway and are
> ready to be tunneled via IPsec. These are two totally different
> tasks. Have a look at our demo example:
>
> http://www.strongswan.org/uml/**testresults/ikev2/net2net-psk-**
> dscp/console.log
>
>  DSCP set--><-- DSCP set
>  alice -- gw moon  gw sun -  bob
>  MARK set-->  IPsec  <--Mark set
>
> 1) Setting the DSCP value in the TOS field of IP packet at the
>   IP route end points alice and bob:
>
> alice# iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp-class BE
> bob#   iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp-class BE
>
> 2) Setting a MARK by the VPN gateways moon and sun depending on the
>   DSCP value detected in the inbound plaintext IP packets:
>
> moon# iptables -t mangle -A PREROUTING -m dscp --dscp-class BE \
>   -j MARK --set-mark 10
>
> sun# iptables -t mangle -A PREROUTING -m dscp --dscp-class BE -j MARK
> --set-mark 10
>
> Regards
>
> Andreas
>
>
> On 11/15/2011 07:14 AM, Meera Sudhakar wrote:
>
>> Hello Andreas,
>> Yes, I agree with you.
>> I have first set the following rules in the mangle table on both
>> endpoints:
>> iptables -t mangle -A OUTPUT -j MARK --set-mark 10 -m dscp --dscp-class EF
>> iptables -t mangle -A PREROUTING -j MARK --set-mark 10 -m dscp
>> --dscp-class EF
>> So with these rules, all traffic passing between the endpoints will be
>> marked with 10, and will have dscp EF. Since one of my tunnels has been
>> configured with mark=10 (in ipsec.conf), that means all these packets
>> should travel through this tunnel. In other words, I am only trying to
>> set dscp=EF for my first tunnel which has mark=10. I am not using the
>> second tunnel with mark=20 now. This worked fine when only the marking
>> was given in the iptables rules, without the dscp. So my understanding
>> is that I can use any one of the created tunnels at a time. Please
>> correct me if this is wrong.
>> Thanks,
>> Meera
>> On Tue, Nov 15, 2011 at 11:07 AM, Andreas Steffen
>> > andreas.steffen@**strongswan.org >>
>>
>> wrote:
>>
>>Hello,
>>
>>you define only mark 10 but not mark 20. No traffic will go through
>>the tunnel without a mark (either 10 or 20) set.
>>
>>Regards
>>
>>Andreas
>>
>>On 11/14/2011 08:46 AM, Meera Sudhakar wrote:
>> > Hi,
>> >
>> > My aim is to create two IPsec tunnels using strongSwan between two
>> > end-points, each having a different dscp marking (like say EF,
>>BE, AF31
>> > etc). Right now, I see that when I set the dscp marking as BE
>>(default),
>> > the traffic goes through the designated IPsec tunnel. When I use
>> > anything else, the traffic reaches the other end-point in plain-text
>> > (there is no encryption). I tried refering to your example in
>> >
>>http://www2.strongswan.org/**uml/testresults46rc/ikev2/**
>> net2net-psk-dscp/index.html
>> .
>> > I see that you are able to send encrypted traffic with dscp
>>marking EF
>> > and BE. I believe that the reason dscp-marked traffic does not flow
>> > through a tunnel could be because the tunnel does not have the
>> > 'capability' to handle that particular dscp-marking. Could you
>> please
>> > let me know if this is the case, and also if there is anything I
>>need to
>> > change (kernel version, strongSwan version, config file) to get this
>> > working. I have pasted the details of my end-points below, with
>>dscp set
>> > to EF:
>> >
>> > linux kernel version on both end-points: 2.6.35
>> > strongSwan version on both end-points: 4.5.2-1
>> >
>> > _End-point1:_
>> > # cat /etc/ipsec.conf
>> > # ipsec.conf - strongSwan IPsec configuration file
>> > # basic configuration
>> > config setup
>> > #plutostderrlog=/var/log/**syslog
>> > # plutodebug=control
>> > # crlcheckinterval=600
>> > strictcrlpolicy=no
>> > # cachecrls=yes
>> > # nat_traversal=yes
>> > charonstart=yes
>> > charondebug=control
>> > plutostart=no
>> > # Add connections here.
>> >
>> > ca strongswan
>> > cacert=caCert.der
>> > auto=add
>> > conn %default
>> > type=tunnel
>> > left=169.254.0.70
>> > leftce

Re: [strongSwan] Traffic with dscp marking (other than BE) not going through IPsec tunnel

2011-11-15 Thread Andreas Steffen

Hello Meera,

you must differentiate between setting the DSCP value in the TOS
field of the IP packets at the origin of the end-to-end IP route
and marking these packets when they enter the VPN gateway and are
ready to be tunneled via IPsec. These are two totally different
tasks. Have a look at our demo example:

http://www.strongswan.org/uml/testresults/ikev2/net2net-psk-dscp/console.log

  DSCP set--><-- DSCP set
  alice -- gw moon  gw sun -  bob
   MARK set-->  IPsec  <--Mark set

1) Setting the DSCP value in the TOS field of IP packet at the
IP route end points alice and bob:

alice# iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp-class BE
bob#   iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp-class BE

2) Setting a MARK by the VPN gateways moon and sun depending on the
DSCP value detected in the inbound plaintext IP packets:

moon# iptables -t mangle -A PREROUTING -m dscp --dscp-class BE \
-j MARK --set-mark 10

sun# iptables -t mangle -A PREROUTING -m dscp --dscp-class BE -j MARK 
--set-mark 10

Regards

Andreas

On 11/15/2011 07:14 AM, Meera Sudhakar wrote:
> Hello Andreas,
> Yes, I agree with you.
> I have first set the following rules in the mangle table on both endpoints:
> iptables -t mangle -A OUTPUT -j MARK --set-mark 10 -m dscp --dscp-class EF
> iptables -t mangle -A PREROUTING -j MARK --set-mark 10 -m dscp
> --dscp-class EF
> So with these rules, all traffic passing between the endpoints will be
> marked with 10, and will have dscp EF. Since one of my tunnels has been
> configured with mark=10 (in ipsec.conf), that means all these packets
> should travel through this tunnel. In other words, I am only trying to
> set dscp=EF for my first tunnel which has mark=10. I am not using the
> second tunnel with mark=20 now. This worked fine when only the marking
> was given in the iptables rules, without the dscp. So my understanding
> is that I can use any one of the created tunnels at a time. Please
> correct me if this is wrong.
> Thanks,
> Meera
> On Tue, Nov 15, 2011 at 11:07 AM, Andreas Steffen
> mailto:andreas.stef...@strongswan.org>>
> wrote:
>
> Hello,
>
> you define only mark 10 but not mark 20. No traffic will go through
> the tunnel without a mark (either 10 or 20) set.
>
> Regards
>
> Andreas
>
> On 11/14/2011 08:46 AM, Meera Sudhakar wrote:
>  > Hi,
>  >
>  > My aim is to create two IPsec tunnels using strongSwan between two
>  > end-points, each having a different dscp marking (like say EF,
> BE, AF31
>  > etc). Right now, I see that when I set the dscp marking as BE
> (default),
>  > the traffic goes through the designated IPsec tunnel. When I use
>  > anything else, the traffic reaches the other end-point in plain-text
>  > (there is no encryption). I tried refering to your example in
>  >
> 
> http://www2.strongswan.org/uml/testresults46rc/ikev2/net2net-psk-dscp/index.html.
>  > I see that you are able to send encrypted traffic with dscp
> marking EF
>  > and BE. I believe that the reason dscp-marked traffic does not flow
>  > through a tunnel could be because the tunnel does not have the
>  > 'capability' to handle that particular dscp-marking. Could you please
>  > let me know if this is the case, and also if there is anything I
> need to
>  > change (kernel version, strongSwan version, config file) to get this
>  > working. I have pasted the details of my end-points below, with
> dscp set
>  > to EF:
>  >
>  > linux kernel version on both end-points: 2.6.35
>  > strongSwan version on both end-points: 4.5.2-1
>  >
>  > _End-point1:_
>  > # cat /etc/ipsec.conf
>  > # ipsec.conf - strongSwan IPsec configuration file
>  > # basic configuration
>  > config setup
>  > #plutostderrlog=/var/log/syslog
>  > # plutodebug=control
>  > # crlcheckinterval=600
>  > strictcrlpolicy=no
>  > # cachecrls=yes
>  > # nat_traversal=yes
>  > charonstart=yes
>  > charondebug=control
>  > plutostart=no
>  > # Add connections here.
>  >
>  > ca strongswan
>  > cacert=caCert.der
>  > auto=add
>  > conn %default
>  > type=tunnel
>  > left=169.254.0.70
>  > leftcert=VC1Cert.der
>  > right=169.254.1.70
>  > #rightid="C=CH, O=strongSwan, CN=169.254.1.70"
>  > keyexchange=ikev2
>  > auto=start
>  > conn tunnel1
>  > leftid=@VC1-tunnel1  =@VC1-tunnel1>
>  > rightid=@VC2-tunnel1  =@VC2-tunnel1>
>  > leftsubnet=169.254.0.0/24 
> 
>  > rightsubnet=169.25

Re: [strongSwan] Traffic with dscp marking (other than BE) not going through IPsec tunnel

2011-11-14 Thread Meera Sudhakar

Hello Andreas,

Yes, I agree with you.

I have first set the following rules in the mangle table on both endpoints:
iptables -t mangle -A OUTPUT -j MARK --set-mark 10 -m dscp --dscp-class EF
iptables -t mangle -A PREROUTING -j MARK --set-mark 10 -m dscp --dscp-class
EF

So with these rules, all traffic passing between the endpoints will be
marked with 10, and will have dscp EF. Since one of my tunnels has been
configured with mark=10 (in ipsec.conf), that means all these packets
should travel through this tunnel. In other words, I am only trying to set
dscp=EF for my first tunnel which has mark=10. I am not using the second
tunnel with mark=20 now. This worked fine when only the marking was given
in the iptables rules, without the dscp. So my understanding is that I can
use any one of the created tunnels at a time. Please correct me if this is
wrong.

Thanks,
Meera


On Tue, Nov 15, 2011 at 11:07 AM, Andreas Steffen <
andreas.stef...@strongswan.org> wrote:

> Hello,
>
> you define only mark 10 but not mark 20. No traffic will go through
> the tunnel without a mark (either 10 or 20) set.
>
> Regards
>
> Andreas
>
> On 11/14/2011 08:46 AM, Meera Sudhakar wrote:
> > Hi,
> >
> > My aim is to create two IPsec tunnels using strongSwan between two
> > end-points, each having a different dscp marking (like say EF, BE, AF31
> > etc). Right now, I see that when I set the dscp marking as BE (default),
> > the traffic goes through the designated IPsec tunnel. When I use
> > anything else, the traffic reaches the other end-point in plain-text
> > (there is no encryption). I tried refering to your example in
> >
> http://www2.strongswan.org/uml/testresults46rc/ikev2/net2net-psk-dscp/index.html
> .
> > I see that you are able to send encrypted traffic with dscp marking EF
> > and BE. I believe that the reason dscp-marked traffic does not flow
> > through a tunnel could be because the tunnel does not have the
> > 'capability' to handle that particular dscp-marking. Could you please
> > let me know if this is the case, and also if there is anything I need to
> > change (kernel version, strongSwan version, config file) to get this
> > working. I have pasted the details of my end-points below, with dscp set
> > to EF:
> >
> > linux kernel version on both end-points: 2.6.35
> > strongSwan version on both end-points: 4.5.2-1
> >
> > _End-point1:_
>  > # cat /etc/ipsec.conf
> > # ipsec.conf - strongSwan IPsec configuration file
> > # basic configuration
> > config setup
> > #plutostderrlog=/var/log/syslog
> > # plutodebug=control
> > # crlcheckinterval=600
> > strictcrlpolicy=no
> > # cachecrls=yes
> > # nat_traversal=yes
> > charonstart=yes
> > charondebug=control
> > plutostart=no
> > # Add connections here.
> >
> > ca strongswan
> > cacert=caCert.der
> > auto=add
> > conn %default
> > type=tunnel
> > left=169.254.0.70
> > leftcert=VC1Cert.der
> > right=169.254.1.70
> > #rightid="C=CH, O=strongSwan, CN=169.254.1.70"
> > keyexchange=ikev2
> > auto=start
> > conn tunnel1
> > leftid=@VC1-tunnel1 
> > rightid=@VC2-tunnel1 
> > leftsubnet=169.254.0.0/24 
> > rightsubnet=169.254.1.0/24 
> > mark=10
> > conn tunnel2
> > leftid=@VC1-tunnel2 
> > rightid=@VC2-tunnel2 
> > leftsubnet=169.254.0.0/24 
> > rightsubnet=169.254.1.0/24 
> > mark=20
> >
> > # ipsec status
> > Security Associations:
> >  tunnel1[1]: ESTABLISHED 37 seconds ago,
> > 169.254.0.70[VC1-tunnel1]...169.254.1.70[VC2-tunnel1]
> >  tunnel1{3}:  INSTALLED, TUNNEL, ESP SPIs: c4b5ea2d_i c7cc7624_o
> >  tunnel1{3}:   169.254.0.0/24  ===
> > 169.254.1.0/24 
> >  tunnel2[2]: ESTABLISHED 37 seconds ago,
> > 169.254.0.70[VC1-tunnel2]...169.254.1.70[VC2-tunnel2]
> >  tunnel2{4}:  INSTALLED, TUNNEL, ESP SPIs: c9c8850e_i c7b5d498_o
> >  tunnel2{4}:   169.254.0.0/24  ===
> > 169.254.1.0/24 
> >
> > # iptables -L -t mangle
> > Chain PREROUTING (policy ACCEPT)
> > target prot opt source   destination
> > MARK   all  --  anywhere anywhereDSCP match
> > 0x2eMARK set 0xa
> > Chain INPUT (policy ACCEPT)
> > target prot opt source   destination
> > Chain FORWARD (policy ACCEPT)
> > target prot opt source   destination
> > Chain OUTPUT (policy ACCEPT)
> > target prot opt source   destination
> > MARK   all  --  anywhere anywhereDSCP match
> > 0x2eMARK set 0xa
> > Chain POSTROUTING (policy ACCEPT)
> > target prot opt source

Re: [strongSwan] Traffic with dscp marking (other than BE) not going through IPsec tunnel

2011-11-14 Thread Andreas Steffen

Hello,

you define only mark 10 but not mark 20. No traffic will go through
the tunnel without a mark (either 10 or 20) set.

Regards

Andreas

On 11/14/2011 08:46 AM, Meera Sudhakar wrote:
> Hi,
>  
> My aim is to create two IPsec tunnels using strongSwan between two
> end-points, each having a different dscp marking (like say EF, BE, AF31
> etc). Right now, I see that when I set the dscp marking as BE (default),
> the traffic goes through the designated IPsec tunnel. When I use
> anything else, the traffic reaches the other end-point in plain-text
> (there is no encryption). I tried refering to your example in
> http://www2.strongswan.org/uml/testresults46rc/ikev2/net2net-psk-dscp/index.html.
> I see that you are able to send encrypted traffic with dscp marking EF
> and BE. I believe that the reason dscp-marked traffic does not flow
> through a tunnel could be because the tunnel does not have the
> 'capability' to handle that particular dscp-marking. Could you please
> let me know if this is the case, and also if there is anything I need to
> change (kernel version, strongSwan version, config file) to get this
> working. I have pasted the details of my end-points below, with dscp set
> to EF:
>  
> linux kernel version on both end-points: 2.6.35
> strongSwan version on both end-points: 4.5.2-1
>  
> _End-point1:_
> # cat /etc/ipsec.conf
> # ipsec.conf - strongSwan IPsec configuration file
> # basic configuration
> config setup
> #plutostderrlog=/var/log/syslog
> # plutodebug=control
> # crlcheckinterval=600
> strictcrlpolicy=no
> # cachecrls=yes
> # nat_traversal=yes
> charonstart=yes
> charondebug=control
> plutostart=no
> # Add connections here.
> 
> ca strongswan
> cacert=caCert.der
> auto=add
> conn %default
> type=tunnel
> left=169.254.0.70
> leftcert=VC1Cert.der
> right=169.254.1.70
> #rightid="C=CH, O=strongSwan, CN=169.254.1.70"
> keyexchange=ikev2
> auto=start
> conn tunnel1
> leftid=@VC1-tunnel1 
> rightid=@VC2-tunnel1 
> leftsubnet=169.254.0.0/24 
> rightsubnet=169.254.1.0/24 
> mark=10
> conn tunnel2
> leftid=@VC1-tunnel2 
> rightid=@VC2-tunnel2 
> leftsubnet=169.254.0.0/24 
> rightsubnet=169.254.1.0/24 
> mark=20
> 
> # ipsec status
> Security Associations:
>  tunnel1[1]: ESTABLISHED 37 seconds ago,
> 169.254.0.70[VC1-tunnel1]...169.254.1.70[VC2-tunnel1]
>  tunnel1{3}:  INSTALLED, TUNNEL, ESP SPIs: c4b5ea2d_i c7cc7624_o
>  tunnel1{3}:   169.254.0.0/24  ===
> 169.254.1.0/24 
>  tunnel2[2]: ESTABLISHED 37 seconds ago,
> 169.254.0.70[VC1-tunnel2]...169.254.1.70[VC2-tunnel2]
>  tunnel2{4}:  INSTALLED, TUNNEL, ESP SPIs: c9c8850e_i c7b5d498_o
>  tunnel2{4}:   169.254.0.0/24  ===
> 169.254.1.0/24 
> 
> # iptables -L -t mangle
> Chain PREROUTING (policy ACCEPT)
> target prot opt source   destination
> MARK   all  --  anywhere anywhereDSCP match
> 0x2eMARK set 0xa
> Chain INPUT (policy ACCEPT)
> target prot opt source   destination
> Chain FORWARD (policy ACCEPT)
> target prot opt source   destination
> Chain OUTPUT (policy ACCEPT)
> target prot opt source   destination
> MARK   all  --  anywhere anywhereDSCP match
> 0x2eMARK set 0xa
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source   destination
> 
> # ping 169.254.1.70
> PING 169.254.1.70 (169.254.1.70) 56(84) bytes of data.
> 64 bytes from 169.254.1.70 : icmp_req=1 ttl=63
> time=0.192 ms
> 64 bytes from 169.254.1.70 : icmp_req=2 ttl=63
> time=0.129 ms
> ^C
> --- 169.254.1.70 ping statistics ---
> 2 packets transmitted, 2 received, 0% packet loss, time 999ms
> rtt min/avg/max/mdev = 0.129/0.160/0.192/0.033 ms
>  
> _End-point 2:_
> # cat /etc/ipsec.conf
> # ipsec.conf - strongSwan IPsec configuration file
> # basic configuration
> config setup
> # plutodebug=control
> # crlcheckinterval=600
>  strictcrlpolicy=no
> # cachecrls=yes
> # nat_traversal=yes
> charonstart=yes
> plutostart=no
> charondebug=control
> # Add connections here.
> 
> ca strongswan
> cacert=caCert.der
> auto=add
> conn %default
> type=tunnel
> left=169.254.1.70
> leftcert=VC2Cert.der
> right=169.254.0.70
> #rightid="C=CH, O=strongSwan, CN=169.254.0.70"
> keyexchange=ikev2
> auto=start
> conn tunnel1
> leftid=@VC2-tunn

Re: [strongSwan] Traffic with dscp marking (other than BE) not going through IPsec tunnel

Re: [strongSwan] Traffic with dscp marking (other than BE) not going through IPsec tunnel

Re: [strongSwan] Traffic with dscp marking (other than BE) not going through IPsec tunnel

Re: [strongSwan] Traffic with dscp marking (other than BE) not going through IPsec tunnel

4 matches

Site Navigation

Mail list logo

Footer information