Hi Andreas, Thanks for the suggestion. I tried it out, but marking in PREROUTING does not send the packets through the tunnel (tcpdump shows it is not encrypted).
00:24:54.806215 IP 192.168.255.75 > 192.168.255.77: ICMP echo request, id 9330, seq 40, length 64 00:24:55.814320 IP 192.168.255.75 > 192.168.255.77: ICMP echo request, id 9330, seq 41, length 64 00:24:56.822434 IP 192.168.255.75 > 192.168.255.77: ICMP echo request, id 9330, seq 42, length 64 When I set the mark in OUTPUT, I at least see a one-way flow of encrypted packets (through the tunnel that also has the same marking). There are still no acknowledgement packets. I saw that it is working fine in the example you mentioned though. Do you know of anything else I can try? Thankyou! Meera On Wed, Jul 13, 2011 at 6:29 PM, Andreas Steffen < [email protected]> wrote: > Hi Meera, > > try to set the marks in the PREROUTING chain as in my DiffServ > example scenario: > > > http://www.strongswan.org/uml/testresults/ikev2/net2net-psk-dscp/console.log > > And follow Martin's recommendation to use the same marks in the > inbound and outbound direction. > > Regards > > Andreas > > On 13.07.2011 12:45, Meera Sudhakar wrote: > > Hi Martin, > > > > Well I'm not exactly sure how but it does not seem to have any problem > > in sending the packets correctly. When there is no marking, the packets > > go just fine with the values I have given for the subnets (the ones > > you've pasted in your mail). So I thought this wouldn't be a problem. > > > > Pasting a part of tcpdump here when tunnels are created without marking: > > 23:10:20.699173 IP 192.168.255.77 > 192.168.255.75 > > <http://192.168.255.75>: ESP(spi=0xc1862a7a,seq=0x3b), length 164 > > 23:10:21.699124 IP 192.168.255.75 > 192.168.255.77 > > <http://192.168.255.77>: ESP(spi=0xc5d25503,seq=0x3c), length 164 > > # ipsec status > > Security Associations: > > tunnel1[2]: ESTABLISHED 5 minutes ago, 192.168.255.77[C=CH, > > O=strongSwan, CN=192.168.255.77]...192.168.255.75[C=CH, O=strongSwan, > > CN=192.168.255.75] > > tunnel1{1}: INSTALLED, TUNNEL, ESP SPIs: c5d25503_i c1862a7a_o > > tunnel1{1}: 192.168.255.0/24 <http://192.168.255.0/24> === > > 192.168.255.0/24 <http://192.168.255.0/24> > > Also, replacing mark_in and mark_out with mark in ipsec.conf still gives > > the same result. I shall see if there is anything else I can do though. > > > > Thanks and regards, > > Meera > > > > On Wed, Jul 13, 2011 at 12:58 PM, Martin Willi <[email protected] > > <mailto:[email protected]>> wrote: > > > > Hi, > > > > > leftsubnet=192.168.255.0/24 <http://192.168.255.0/24> > > > rightsubnet=192.168.255.0/24 <http://192.168.255.0/24> > > > > How should the routing work if you have the same subnet on both ends > of > > the tunnel? Where should a gateway send such packets to? > > > > > mark_in=11 > > > mark_out=10 > > > > Using the same mark for in and out is probably simpler, you can set > both > > marks by using: > > > > mark=10 > > > > Regards > > Martin > > > > > > > > > > > > _______________________________________________ > > Users mailing list > > [email protected] > > https://lists.strongswan.org/mailman/listinfo/users > > > -- > ====================================================================== > Andreas Steffen [email protected] > strongSwan - the Linux VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ===========================================================[ITA-HSR]== >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
