Hello Meera, you must differentiate between setting the DSCP value in the TOS field of the IP packets at the origin of the end-to-end IP route and marking these packets when they enter the VPN gateway and are ready to be tunneled via IPsec. These are two totally different tasks. Have a look at our demo example:
http://www.strongswan.org/uml/testresults/ikev2/net2net-psk-dscp/console.log DSCP set--> <-- DSCP set alice ------ gw moon ================ gw sun --------- bob MARK set--> IPsec <--Mark set 1) Setting the DSCP value in the TOS field of IP packet at the IP route end points alice and bob: alice# iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp-class BE bob# iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp-class BE 2) Setting a MARK by the VPN gateways moon and sun depending on the DSCP value detected in the inbound plaintext IP packets: moon# iptables -t mangle -A PREROUTING -m dscp --dscp-class BE \ -j MARK --set-mark 10 sun# iptables -t mangle -A PREROUTING -m dscp --dscp-class BE -j MARK --set-mark 10 Regards Andreas On 11/15/2011 07:14 AM, Meera Sudhakar wrote: > Hello Andreas, > Yes, I agree with you. > I have first set the following rules in the mangle table on both endpoints: > iptables -t mangle -A OUTPUT -j MARK --set-mark 10 -m dscp --dscp-class EF > iptables -t mangle -A PREROUTING -j MARK --set-mark 10 -m dscp > --dscp-class EF > So with these rules, all traffic passing between the endpoints will be > marked with 10, and will have dscp EF. Since one of my tunnels has been > configured with mark=10 (in ipsec.conf), that means all these packets > should travel through this tunnel. In other words, I am only trying to > set dscp=EF for my first tunnel which has mark=10. I am not using the > second tunnel with mark=20 now. This worked fine when only the marking > was given in the iptables rules, without the dscp. So my understanding > is that I can use any one of the created tunnels at a time. Please > correct me if this is wrong. > Thanks, > Meera > On Tue, Nov 15, 2011 at 11:07 AM, Andreas Steffen > <[email protected] <mailto:[email protected]>> > wrote: > > Hello, > > you define only mark 10 but not mark 20. No traffic will go through > the tunnel without a mark (either 10 or 20) set. > > Regards > > Andreas > > On 11/14/2011 08:46 AM, Meera Sudhakar wrote: > > Hi, > > > > My aim is to create two IPsec tunnels using strongSwan between two > > end-points, each having a different dscp marking (like say EF, > BE, AF31 > > etc). Right now, I see that when I set the dscp marking as BE > (default), > > the traffic goes through the designated IPsec tunnel. When I use > > anything else, the traffic reaches the other end-point in plain-text > > (there is no encryption). I tried refering to your example in > > > > http://www2.strongswan.org/uml/testresults46rc/ikev2/net2net-psk-dscp/index.html. > > I see that you are able to send encrypted traffic with dscp > marking EF > > and BE. I believe that the reason dscp-marked traffic does not flow > > through a tunnel could be because the tunnel does not have the > > 'capability' to handle that particular dscp-marking. Could you please > > let me know if this is the case, and also if there is anything I > need to > > change (kernel version, strongSwan version, config file) to get this > > working. I have pasted the details of my end-points below, with > dscp set > > to EF: > > > > linux kernel version on both end-points: 2.6.35 > > strongSwan version on both end-points: 4.5.2-1 > > > > _End-point1:_ > > # cat /etc/ipsec.conf > > # ipsec.conf - strongSwan IPsec configuration file > > # basic configuration > > config setup > > #plutostderrlog=/var/log/syslog > > # plutodebug=control > > # crlcheckinterval=600 > > strictcrlpolicy=no > > # cachecrls=yes > > # nat_traversal=yes > > charonstart=yes > > charondebug=control > > plutostart=no > > # Add connections here. > > > > ca strongswan > > cacert=caCert.der > > auto=add > > conn %default > > type=tunnel > > left=169.254.0.70 > > leftcert=VC1Cert.der > > right=169.254.1.70 > > #rightid="C=CH, O=strongSwan, CN=169.254.1.70" > > keyexchange=ikev2 > > auto=start > > conn tunnel1 > > leftid=@VC1-tunnel1 <mailto:leftid > <mailto:leftid>=@VC1-tunnel1> > > rightid=@VC2-tunnel1 <mailto:rightid > <mailto:rightid>=@VC2-tunnel1> > > leftsubnet=169.254.0.0/24 <http://169.254.0.0/24> > <http://169.254.0.0/24> > > rightsubnet=169.254.1.0/24 <http://169.254.1.0/24> > <http://169.254.1.0/24> > > mark=10 > > conn tunnel2 > > leftid=@VC1-tunnel2 <mailto:leftid > <mailto:leftid>=@VC1-tunnel2> > > rightid=@VC2-tunnel2 <mailto:rightid > <mailto:rightid>=@VC2-tunnel2> > > leftsubnet=169.254.0.0/24 <http://169.254.0.0/24> > <http://169.254.0.0/24> > > rightsubnet=169.254.1.0/24 <http://169.254.1.0/24> > <http://169.254.1.0/24> > > mark=20 > > > > # ipsec status > > Security Associations: > > tunnel1[1]: ESTABLISHED 37 seconds ago, > > 169.254.0.70[VC1-tunnel1]...169.254.1.70[VC2-tunnel1] > > tunnel1{3}: INSTALLED, TUNNEL, ESP SPIs: c4b5ea2d_i c7cc7624_o > > tunnel1{3}: 169.254.0.0/24 <http://169.254.0.0/24> > <http://169.254.0.0/24> === > > 169.254.1.0/24 <http://169.254.1.0/24> <http://169.254.1.0/24> > > tunnel2[2]: ESTABLISHED 37 seconds ago, > > 169.254.0.70[VC1-tunnel2]...169.254.1.70[VC2-tunnel2] > > tunnel2{4}: INSTALLED, TUNNEL, ESP SPIs: c9c8850e_i c7b5d498_o > > tunnel2{4}: 169.254.0.0/24 <http://169.254.0.0/24> > <http://169.254.0.0/24> === > > 169.254.1.0/24 <http://169.254.1.0/24> <http://169.254.1.0/24> > > > > # iptables -L -t mangle > > Chain PREROUTING (policy ACCEPT) > > target prot opt source destination > > MARK all -- anywhere anywhere DSCP > match > > 0x2eMARK set 0xa > > Chain INPUT (policy ACCEPT) > > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > > target prot opt source destination > > MARK all -- anywhere anywhere DSCP > match > > 0x2eMARK set 0xa > > Chain POSTROUTING (policy ACCEPT) > > target prot opt source destination > > > > # ping 169.254.1.70 > > PING 169.254.1.70 (169.254.1.70) 56(84) bytes of data. > > 64 bytes from 169.254.1.70 <http://169.254.1.70 > <http://169.254.1.70/>>: icmp_req=1 ttl=63 > > time=0.192 ms > > 64 bytes from 169.254.1.70 <http://169.254.1.70 > <http://169.254.1.70/>>: icmp_req=2 ttl=63 > > time=0.129 ms > > ^C > > --- 169.254.1.70 ping statistics --- > > 2 packets transmitted, 2 received, 0% packet loss, time 999ms > > rtt min/avg/max/mdev = 0.129/0.160/0.192/0.033 ms > > > > _End-point 2:_ > > # cat /etc/ipsec.conf > > # ipsec.conf - strongSwan IPsec configuration file > > # basic configuration > > config setup > > # plutodebug=control > > # crlcheckinterval=600 > > strictcrlpolicy=no > > # cachecrls=yes > > # nat_traversal=yes > > charonstart=yes > > plutostart=no > > charondebug=control > > # Add connections here. > > > > ca strongswan > > cacert=caCert.der > > auto=add > > conn %default > > type=tunnel > > left=169.254.1.70 > > leftcert=VC2Cert.der > > right=169.254.0.70 > > #rightid="C=CH, O=strongSwan, CN=169.254.0.70" > > keyexchange=ikev2 > > auto=start > > conn tunnel1 > > leftid=@VC2-tunnel1 <mailto:leftid > <mailto:leftid>=@VC2-tunnel1> > > rightid=@VC1-tunnel1 <mailto:rightid > <mailto:rightid>=@VC1-tunnel1> > > leftsubnet=169.254.1.0/24 <http://169.254.1.0/24> > <http://169.254.1.0/24> > > rightsubnet=169.254.0.0/24 <http://169.254.0.0/24> > <http://169.254.0.0/24> > > mark=10 > > conn tunnel2 > > leftid=@VC2-tunnel2 <mailto:leftid > <mailto:leftid>=@VC2-tunnel2> > > rightid=@VC1-tunnel2 <mailto:rightid > <mailto:rightid>=@VC1-tunnel2> > > leftsubnet=169.254.1.0/24 <http://169.254.1.0/24> > <http://169.254.1.0/24> > > rightsubnet=169.254.0.0/24 <http://169.254.0.0/24> > <http://169.254.0.0/24> > > mark=20 > > > > # ipsec status > > Security Associations: > > tunnel1[3]: ESTABLISHED 44 seconds ago, > > 169.254.1.70[VC2-tunnel1]...169.254.0.70[VC1-tunnel1] > > tunnel1{3}: INSTALLED, TUNNEL, ESP SPIs: c7cc7624_i c4b5ea2d_o > > tunnel1{3}: 169.254.1.0/24 <http://169.254.1.0/24> > <http://169.254.1.0/24> === > > 169.254.0.0/24 <http://169.254.0.0/24> <http://169.254.0.0/24> > > tunnel2[4]: ESTABLISHED 44 seconds ago, > > 169.254.1.70[VC2-tunnel2]...169.254.0.70[VC1-tunnel2] > > tunnel2{4}: INSTALLED, TUNNEL, ESP SPIs: c7b5d498_i c9c8850e_o > > tunnel2{4}: 169.254.1.0/24 <http://169.254.1.0/24> > <http://169.254.1.0/24> === > > 169.254.0.0/24 <http://169.254.0.0/24> <http://169.254.0.0/24> > > > > # iptables -L -t mangle > > Chain PREROUTING (policy ACCEPT) > > target prot opt source destination > > MARK all -- anywhere anywhere DSCP > match > > 0x2eMARK set 0xa > > Chain INPUT (policy ACCEPT) > > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > > target prot opt source destination > > MARK all -- anywhere anywhere DSCP > match > > 0x2eMARK set 0xa > > Chain POSTROUTING (policy ACCEPT) > > target prot opt source destination > > > > # tcpdump -i eth2 > > tcpdump: verbose output suppressed, use -v or -vv for full > protocol decode > > listening on eth2, link-type EN10MB (Ethernet), capture size > 65535 bytes > > 01:07:43.492130 IP 169.254.0.70 > 169.254.1.70 > <http://169.254.1.70 <http://169.254.1.70/>>: > > ICMP echo request, id 27015, seq 1, length 64 > > 01:07:43.492162 IP 169.254.1.70 > 169.254.0.70 > <http://169.254.0.70 <http://169.254.0.70/>>: > > ICMP echo reply, id 27015, seq 1, length 64 > > 01:07:44.491104 IP 169.254.0.70 > 169.254.1.70 > <http://169.254.1.70 <http://169.254.1.70/>>: > > ICMP echo request, id 27015, seq 2, length 64 > > 01:07:44.491140 IP 169.254.1.70 > 169.254.0.70 > <http://169.254.0.70 <http://169.254.0.70/>>: > > ICMP echo reply, id 27015, seq 2, length 64 > > > > Could you please let me know if there is anything more I need to > do? The > > above works fine only when dscp is set to BE. > > > > Thanks and regards, > > Meera ====================================================================== Andreas Steffen [email protected] strongSwan - the Linux VPN Solution! www.strongswan.org Institute for Internet Technologies and Applications University of Applied Sciences Rapperswil CH-8640 Rapperswil (Switzerland) ===========================================================[ITA-HSR]== _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
