Hi Martin, Sorry for the late response. I was caught up with some other tasks and did not get time to work on this.
As you mentioned, my IPs did not match initially. Now they do, and I see that encrypted traffic is passing between the end points. But I see that all the traffic uses tunnel 2 and not tunnel 1 (going by the SPI). Do you have any idea why this happens? Also, I tried to look into the "mark" option you had mentioned, but somehow I couldn't get any clear info. All I got is, ipsec.conf.5 has the parameters "mark", "mark_in" and "mark_out", and these set xfrm marks on the SAs. The iptables are automatically updated. But I could not find any info on how to use them. Is there any link you can share? Some examples from the strongswan website (http://www.strongswan.org/uml/testresults/ikev2/rw-mark-in-out/) showed me that they are used as below in ipsec.conf of the peer: conn alice [email protected] mark_in=10/0xffffffff mark_out=11/0xffffffff also=sun auto=add conn venus [email protected] mark_in=20 #0xffffffff is used by default mark_out=21 #0xffffffff is used by default also=sun auto=add But I would like to know what these values mean (10, 11, 20, 21) and how they help in sending traffic through a particular tunnel only. I need to try and set up multiple tunnels, and then send traffic through each one of them, and then all of them together, in order to compare performances. I'd really appreciate some help on this. Thanks and regards, Meera On Wed, May 4, 2011 at 1:57 PM, Martin Willi <[email protected]> wrote: > > > When I try to ping one peer from the other, the packets go across > > without encryption. In other words, it does not go through either > > tunnel. > > Does your ping use the correct addresses to match your tunnel > (192.168.10.0/24 === 172.16.10.0/24)? > > > can I specify which tunnel should be used for what? > > Why do you use two tunnels in the first place? > > You can use Netfilter firewall marks to tag traffic using IPtables for a > specific tunnel. Have a look at the "mark" option in ipsec.conf.5. > > Regards > Martin > >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
