Hello, you define only mark 10 but not mark 20. No traffic will go through the tunnel without a mark (either 10 or 20) set.
Regards Andreas On 11/14/2011 08:46 AM, Meera Sudhakar wrote: > Hi, > > My aim is to create two IPsec tunnels using strongSwan between two > end-points, each having a different dscp marking (like say EF, BE, AF31 > etc). Right now, I see that when I set the dscp marking as BE (default), > the traffic goes through the designated IPsec tunnel. When I use > anything else, the traffic reaches the other end-point in plain-text > (there is no encryption). I tried refering to your example in > http://www2.strongswan.org/uml/testresults46rc/ikev2/net2net-psk-dscp/index.html. > I see that you are able to send encrypted traffic with dscp marking EF > and BE. I believe that the reason dscp-marked traffic does not flow > through a tunnel could be because the tunnel does not have the > 'capability' to handle that particular dscp-marking. Could you please > let me know if this is the case, and also if there is anything I need to > change (kernel version, strongSwan version, config file) to get this > working. I have pasted the details of my end-points below, with dscp set > to EF: > > linux kernel version on both end-points: 2.6.35 > strongSwan version on both end-points: 4.5.2-1 > > _End-point1:_ > # cat /etc/ipsec.conf > # ipsec.conf - strongSwan IPsec configuration file > # basic configuration > config setup > #plutostderrlog=/var/log/syslog > # plutodebug=control > # crlcheckinterval=600 > strictcrlpolicy=no > # cachecrls=yes > # nat_traversal=yes > charonstart=yes > charondebug=control > plutostart=no > # Add connections here. > > ca strongswan > cacert=caCert.der > auto=add > conn %default > type=tunnel > left=169.254.0.70 > leftcert=VC1Cert.der > right=169.254.1.70 > #rightid="C=CH, O=strongSwan, CN=169.254.1.70" > keyexchange=ikev2 > auto=start > conn tunnel1 > leftid=@VC1-tunnel1 <mailto:leftid=@VC1-tunnel1> > rightid=@VC2-tunnel1 <mailto:rightid=@VC2-tunnel1> > leftsubnet=169.254.0.0/24 <http://169.254.0.0/24> > rightsubnet=169.254.1.0/24 <http://169.254.1.0/24> > mark=10 > conn tunnel2 > leftid=@VC1-tunnel2 <mailto:leftid=@VC1-tunnel2> > rightid=@VC2-tunnel2 <mailto:rightid=@VC2-tunnel2> > leftsubnet=169.254.0.0/24 <http://169.254.0.0/24> > rightsubnet=169.254.1.0/24 <http://169.254.1.0/24> > mark=20 > > # ipsec status > Security Associations: > tunnel1[1]: ESTABLISHED 37 seconds ago, > 169.254.0.70[VC1-tunnel1]...169.254.1.70[VC2-tunnel1] > tunnel1{3}: INSTALLED, TUNNEL, ESP SPIs: c4b5ea2d_i c7cc7624_o > tunnel1{3}: 169.254.0.0/24 <http://169.254.0.0/24> === > 169.254.1.0/24 <http://169.254.1.0/24> > tunnel2[2]: ESTABLISHED 37 seconds ago, > 169.254.0.70[VC1-tunnel2]...169.254.1.70[VC2-tunnel2] > tunnel2{4}: INSTALLED, TUNNEL, ESP SPIs: c9c8850e_i c7b5d498_o > tunnel2{4}: 169.254.0.0/24 <http://169.254.0.0/24> === > 169.254.1.0/24 <http://169.254.1.0/24> > > # iptables -L -t mangle > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > MARK all -- anywhere anywhere DSCP match > 0x2eMARK set 0xa > Chain INPUT (policy ACCEPT) > target prot opt source destination > Chain FORWARD (policy ACCEPT) > target prot opt source destination > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > MARK all -- anywhere anywhere DSCP match > 0x2eMARK set 0xa > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination > > # ping 169.254.1.70 > PING 169.254.1.70 (169.254.1.70) 56(84) bytes of data. > 64 bytes from 169.254.1.70 <http://169.254.1.70>: icmp_req=1 ttl=63 > time=0.192 ms > 64 bytes from 169.254.1.70 <http://169.254.1.70>: icmp_req=2 ttl=63 > time=0.129 ms > ^C > --- 169.254.1.70 ping statistics --- > 2 packets transmitted, 2 received, 0% packet loss, time 999ms > rtt min/avg/max/mdev = 0.129/0.160/0.192/0.033 ms > > _End-point 2:_ > # cat /etc/ipsec.conf > # ipsec.conf - strongSwan IPsec configuration file > # basic configuration > config setup > # plutodebug=control > # crlcheckinterval=600 > strictcrlpolicy=no > # cachecrls=yes > # nat_traversal=yes > charonstart=yes > plutostart=no > charondebug=control > # Add connections here. > > ca strongswan > cacert=caCert.der > auto=add > conn %default > type=tunnel > left=169.254.1.70 > leftcert=VC2Cert.der > right=169.254.0.70 > #rightid="C=CH, O=strongSwan, CN=169.254.0.70" > keyexchange=ikev2 > auto=start > conn tunnel1 > leftid=@VC2-tunnel1 <mailto:leftid=@VC2-tunnel1> > rightid=@VC1-tunnel1 <mailto:rightid=@VC1-tunnel1> > leftsubnet=169.254.1.0/24 <http://169.254.1.0/24> > rightsubnet=169.254.0.0/24 <http://169.254.0.0/24> > mark=10 > conn tunnel2 > leftid=@VC2-tunnel2 <mailto:leftid=@VC2-tunnel2> > rightid=@VC1-tunnel2 <mailto:rightid=@VC1-tunnel2> > leftsubnet=169.254.1.0/24 <http://169.254.1.0/24> > rightsubnet=169.254.0.0/24 <http://169.254.0.0/24> > mark=20 > > # ipsec status > Security Associations: > tunnel1[3]: ESTABLISHED 44 seconds ago, > 169.254.1.70[VC2-tunnel1]...169.254.0.70[VC1-tunnel1] > tunnel1{3}: INSTALLED, TUNNEL, ESP SPIs: c7cc7624_i c4b5ea2d_o > tunnel1{3}: 169.254.1.0/24 <http://169.254.1.0/24> === > 169.254.0.0/24 <http://169.254.0.0/24> > tunnel2[4]: ESTABLISHED 44 seconds ago, > 169.254.1.70[VC2-tunnel2]...169.254.0.70[VC1-tunnel2] > tunnel2{4}: INSTALLED, TUNNEL, ESP SPIs: c7b5d498_i c9c8850e_o > tunnel2{4}: 169.254.1.0/24 <http://169.254.1.0/24> === > 169.254.0.0/24 <http://169.254.0.0/24> > > # iptables -L -t mangle > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > MARK all -- anywhere anywhere DSCP match > 0x2eMARK set 0xa > Chain INPUT (policy ACCEPT) > target prot opt source destination > Chain FORWARD (policy ACCEPT) > target prot opt source destination > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > MARK all -- anywhere anywhere DSCP match > 0x2eMARK set 0xa > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination > > # tcpdump -i eth2 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on eth2, link-type EN10MB (Ethernet), capture size 65535 bytes > 01:07:43.492130 IP 169.254.0.70 > 169.254.1.70 <http://169.254.1.70>: > ICMP echo request, id 27015, seq 1, length 64 > 01:07:43.492162 IP 169.254.1.70 > 169.254.0.70 <http://169.254.0.70>: > ICMP echo reply, id 27015, seq 1, length 64 > 01:07:44.491104 IP 169.254.0.70 > 169.254.1.70 <http://169.254.1.70>: > ICMP echo request, id 27015, seq 2, length 64 > 01:07:44.491140 IP 169.254.1.70 > 169.254.0.70 <http://169.254.0.70>: > ICMP echo reply, id 27015, seq 2, length 64 > > Could you please let me know if there is anything more I need to do? The > above works fine only when dscp is set to BE. > > Thanks and regards, > Meera ====================================================================== Andreas Steffen andreas.stef...@strongswan.org strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users