Hi Meera, try to set the marks in the PREROUTING chain as in my DiffServ example scenario:
http://www.strongswan.org/uml/testresults/ikev2/net2net-psk-dscp/console.log And follow Martin's recommendation to use the same marks in the inbound and outbound direction. Regards Andreas On 13.07.2011 12:45, Meera Sudhakar wrote: > Hi Martin, > > Well I'm not exactly sure how but it does not seem to have any problem > in sending the packets correctly. When there is no marking, the packets > go just fine with the values I have given for the subnets (the ones > you've pasted in your mail). So I thought this wouldn't be a problem. > > Pasting a part of tcpdump here when tunnels are created without marking: > 23:10:20.699173 IP 192.168.255.77 > 192.168.255.75 > <http://192.168.255.75>: ESP(spi=0xc1862a7a,seq=0x3b), length 164 > 23:10:21.699124 IP 192.168.255.75 > 192.168.255.77 > <http://192.168.255.77>: ESP(spi=0xc5d25503,seq=0x3c), length 164 > # ipsec status > Security Associations: > tunnel1[2]: ESTABLISHED 5 minutes ago, 192.168.255.77[C=CH, > O=strongSwan, CN=192.168.255.77]...192.168.255.75[C=CH, O=strongSwan, > CN=192.168.255.75] > tunnel1{1}: INSTALLED, TUNNEL, ESP SPIs: c5d25503_i c1862a7a_o > tunnel1{1}: 192.168.255.0/24 <http://192.168.255.0/24> === > 192.168.255.0/24 <http://192.168.255.0/24> > Also, replacing mark_in and mark_out with mark in ipsec.conf still gives > the same result. I shall see if there is anything else I can do though. > > Thanks and regards, > Meera > > On Wed, Jul 13, 2011 at 12:58 PM, Martin Willi <[email protected] > <mailto:[email protected]>> wrote: > > Hi, > > > leftsubnet=192.168.255.0/24 <http://192.168.255.0/24> > > rightsubnet=192.168.255.0/24 <http://192.168.255.0/24> > > How should the routing work if you have the same subnet on both ends of > the tunnel? Where should a gateway send such packets to? > > > mark_in=11 > > mark_out=10 > > Using the same mark for in and out is probably simpler, you can set both > marks by using: > > mark=10 > > Regards > Martin > > > > > > _______________________________________________ > Users mailing list > [email protected] > https://lists.strongswan.org/mailman/listinfo/users -- ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
