Hi Andreas, Ok, thanks a lot for the explanation. I had understood it the other way round. It is now working with all DSCP values.
Thanks and regards, Meera On Tue, Nov 15, 2011 at 2:17 PM, Andreas Steffen < [email protected]> wrote: > Hello Meera, > > you must differentiate between setting the DSCP value in the TOS > field of the IP packets at the origin of the end-to-end IP route > and marking these packets when they enter the VPN gateway and are > ready to be tunneled via IPsec. These are two totally different > tasks. Have a look at our demo example: > > http://www.strongswan.org/uml/**testresults/ikev2/net2net-psk-** > dscp/console.log<http://www.strongswan.org/uml/testresults/ikev2/net2net-psk-dscp/console.log> > > DSCP set--> <-- DSCP set > alice ------ gw moon ================ gw sun --------- bob > MARK set--> IPsec <--Mark set > > 1) Setting the DSCP value in the TOS field of IP packet at the > IP route end points alice and bob: > > alice# iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp-class BE > bob# iptables -t mangle -A OUTPUT -p icmp -j DSCP --set-dscp-class BE > > 2) Setting a MARK by the VPN gateways moon and sun depending on the > DSCP value detected in the inbound plaintext IP packets: > > moon# iptables -t mangle -A PREROUTING -m dscp --dscp-class BE \ > -j MARK --set-mark 10 > > sun# iptables -t mangle -A PREROUTING -m dscp --dscp-class BE -j MARK > --set-mark 10 > > Regards > > Andreas > > > On 11/15/2011 07:14 AM, Meera Sudhakar wrote: > >> Hello Andreas, >> Yes, I agree with you. >> I have first set the following rules in the mangle table on both >> endpoints: >> iptables -t mangle -A OUTPUT -j MARK --set-mark 10 -m dscp --dscp-class EF >> iptables -t mangle -A PREROUTING -j MARK --set-mark 10 -m dscp >> --dscp-class EF >> So with these rules, all traffic passing between the endpoints will be >> marked with 10, and will have dscp EF. Since one of my tunnels has been >> configured with mark=10 (in ipsec.conf), that means all these packets >> should travel through this tunnel. In other words, I am only trying to >> set dscp=EF for my first tunnel which has mark=10. I am not using the >> second tunnel with mark=20 now. This worked fine when only the marking >> was given in the iptables rules, without the dscp. So my understanding >> is that I can use any one of the created tunnels at a time. Please >> correct me if this is wrong. >> Thanks, >> Meera >> On Tue, Nov 15, 2011 at 11:07 AM, Andreas Steffen >> <andreas.steffen@strongswan.**org <[email protected]><mailto: >> andreas.steffen@**strongswan.org <[email protected]>>> >> >> wrote: >> >> Hello, >> >> you define only mark 10 but not mark 20. No traffic will go through >> the tunnel without a mark (either 10 or 20) set. >> >> Regards >> >> Andreas >> >> On 11/14/2011 08:46 AM, Meera Sudhakar wrote: >> > Hi, >> > >> > My aim is to create two IPsec tunnels using strongSwan between two >> > end-points, each having a different dscp marking (like say EF, >> BE, AF31 >> > etc). Right now, I see that when I set the dscp marking as BE >> (default), >> > the traffic goes through the designated IPsec tunnel. When I use >> > anything else, the traffic reaches the other end-point in plain-text >> > (there is no encryption). I tried refering to your example in >> > >> http://www2.strongswan.org/**uml/testresults46rc/ikev2/** >> net2net-psk-dscp/index.html<http://www2.strongswan.org/uml/testresults46rc/ikev2/net2net-psk-dscp/index.html> >> . >> > I see that you are able to send encrypted traffic with dscp >> marking EF >> > and BE. I believe that the reason dscp-marked traffic does not flow >> > through a tunnel could be because the tunnel does not have the >> > 'capability' to handle that particular dscp-marking. Could you >> please >> > let me know if this is the case, and also if there is anything I >> need to >> > change (kernel version, strongSwan version, config file) to get this >> > working. I have pasted the details of my end-points below, with >> dscp set >> > to EF: >> > >> > linux kernel version on both end-points: 2.6.35 >> > strongSwan version on both end-points: 4.5.2-1 >> > >> > _End-point1:_ >> > # cat /etc/ipsec.conf >> > # ipsec.conf - strongSwan IPsec configuration file >> > # basic configuration >> > config setup >> > #plutostderrlog=/var/log/**syslog >> > # plutodebug=control >> > # crlcheckinterval=600 >> > strictcrlpolicy=no >> > # cachecrls=yes >> > # nat_traversal=yes >> > charonstart=yes >> > charondebug=control >> > plutostart=no >> > # Add connections here. >> > >> > ca strongswan >> > cacert=caCert.der >> > auto=add >> > conn %default >> > type=tunnel >> > left=169.254.0.70 >> > leftcert=VC1Cert.der >> > right=169.254.1.70 >> > #rightid="C=CH, O=strongSwan, CN=169.254.1.70" >> > keyexchange=ikev2 >> > auto=start >> > conn tunnel1 >> > leftid=@VC1-tunnel1 <mailto:leftid >> <mailto:leftid>=@VC1-tunnel1> >> > rightid=@VC2-tunnel1 <mailto:rightid >> <mailto:rightid>=@VC2-tunnel1> >> > leftsubnet=169.254.0.0/24 <http://169.254.0.0/24> >> >> <http://169.254.0.0/24> >> > rightsubnet=169.254.1.0/24 <http://169.254.1.0/24> >> <http://169.254.1.0/24> >> > mark=10 >> > conn tunnel2 >> > leftid=@VC1-tunnel2 <mailto:leftid >> <mailto:leftid>=@VC1-tunnel2> >> > rightid=@VC2-tunnel2 <mailto:rightid >> <mailto:rightid>=@VC2-tunnel2> >> > leftsubnet=169.254.0.0/24 <http://169.254.0.0/24> >> >> <http://169.254.0.0/24> >> > rightsubnet=169.254.1.0/24 <http://169.254.1.0/24> >> <http://169.254.1.0/24> >> > mark=20 >> > >> > # ipsec status >> > Security Associations: >> > tunnel1[1]: ESTABLISHED 37 seconds ago, >> > 169.254.0.70[VC1-tunnel1]...**169.254.1.70[VC2-tunnel1] >> > tunnel1{3}: INSTALLED, TUNNEL, ESP SPIs: c4b5ea2d_i c7cc7624_o >> > tunnel1{3}: 169.254.0.0/24 <http://169.254.0.0/24> >> <http://169.254.0.0/24> === >> > 169.254.1.0/24 <http://169.254.1.0/24> <http://169.254.1.0/24> >> >> > tunnel2[2]: ESTABLISHED 37 seconds ago, >> > 169.254.0.70[VC1-tunnel2]...**169.254.1.70[VC2-tunnel2] >> > tunnel2{4}: INSTALLED, TUNNEL, ESP SPIs: c9c8850e_i c7b5d498_o >> > tunnel2{4}: 169.254.0.0/24 <http://169.254.0.0/24> >> <http://169.254.0.0/24> === >> > 169.254.1.0/24 <http://169.254.1.0/24> <http://169.254.1.0/24> >> >> > >> > # iptables -L -t mangle >> > Chain PREROUTING (policy ACCEPT) >> > target prot opt source destination >> > MARK all -- anywhere anywhere DSCP >> match >> > 0x2eMARK set 0xa >> > Chain INPUT (policy ACCEPT) >> > target prot opt source destination >> > Chain FORWARD (policy ACCEPT) >> > target prot opt source destination >> > Chain OUTPUT (policy ACCEPT) >> > target prot opt source destination >> > MARK all -- anywhere anywhere DSCP >> match >> > 0x2eMARK set 0xa >> > Chain POSTROUTING (policy ACCEPT) >> > target prot opt source destination >> > >> > # ping 169.254.1.70 >> > PING 169.254.1.70 (169.254.1.70) 56(84) bytes of data. >> > 64 bytes from 169.254.1.70 <http://169.254.1.70 >> <http://169.254.1.70/>>: icmp_req=1 ttl=63 >> >> > time=0.192 ms >> > 64 bytes from 169.254.1.70 <http://169.254.1.70 >> <http://169.254.1.70/>>: icmp_req=2 ttl=63 >> >> > time=0.129 ms >> > ^C >> > --- 169.254.1.70 ping statistics --- >> > 2 packets transmitted, 2 received, 0% packet loss, time 999ms >> > rtt min/avg/max/mdev = 0.129/0.160/0.192/0.033 ms >> > >> > _End-point 2:_ >> > # cat /etc/ipsec.conf >> > # ipsec.conf - strongSwan IPsec configuration file >> > # basic configuration >> > config setup >> > # plutodebug=control >> > # crlcheckinterval=600 >> > strictcrlpolicy=no >> > # cachecrls=yes >> > # nat_traversal=yes >> > charonstart=yes >> > plutostart=no >> > charondebug=control >> > # Add connections here. >> > >> > ca strongswan >> > cacert=caCert.der >> > auto=add >> > conn %default >> > type=tunnel >> > left=169.254.1.70 >> > leftcert=VC2Cert.der >> > right=169.254.0.70 >> > #rightid="C=CH, O=strongSwan, CN=169.254.0.70" >> > keyexchange=ikev2 >> > auto=start >> > conn tunnel1 >> > leftid=@VC2-tunnel1 <mailto:leftid >> <mailto:leftid>=@VC2-tunnel1> >> > rightid=@VC1-tunnel1 <mailto:rightid >> <mailto:rightid>=@VC1-tunnel1> >> > leftsubnet=169.254.1.0/24 <http://169.254.1.0/24> >> >> <http://169.254.1.0/24> >> > rightsubnet=169.254.0.0/24 <http://169.254.0.0/24> >> <http://169.254.0.0/24> >> > mark=10 >> > conn tunnel2 >> > leftid=@VC2-tunnel2 <mailto:leftid >> <mailto:leftid>=@VC2-tunnel2> >> > rightid=@VC1-tunnel2 <mailto:rightid >> <mailto:rightid>=@VC1-tunnel2> >> > leftsubnet=169.254.1.0/24 <http://169.254.1.0/24> >> >> <http://169.254.1.0/24> >> > rightsubnet=169.254.0.0/24 <http://169.254.0.0/24> >> <http://169.254.0.0/24> >> > mark=20 >> > >> > # ipsec status >> > Security Associations: >> > tunnel1[3]: ESTABLISHED 44 seconds ago, >> > 169.254.1.70[VC2-tunnel1]...**169.254.0.70[VC1-tunnel1] >> > tunnel1{3}: INSTALLED, TUNNEL, ESP SPIs: c7cc7624_i c4b5ea2d_o >> > tunnel1{3}: 169.254.1.0/24 <http://169.254.1.0/24> >> <http://169.254.1.0/24> === >> > 169.254.0.0/24 <http://169.254.0.0/24> <http://169.254.0.0/24> >> >> > tunnel2[4]: ESTABLISHED 44 seconds ago, >> > 169.254.1.70[VC2-tunnel2]...**169.254.0.70[VC1-tunnel2] >> > tunnel2{4}: INSTALLED, TUNNEL, ESP SPIs: c7b5d498_i c9c8850e_o >> > tunnel2{4}: 169.254.1.0/24 <http://169.254.1.0/24> >> <http://169.254.1.0/24> === >> > 169.254.0.0/24 <http://169.254.0.0/24> <http://169.254.0.0/24> >> >> > >> > # iptables -L -t mangle >> > Chain PREROUTING (policy ACCEPT) >> > target prot opt source destination >> > MARK all -- anywhere anywhere DSCP >> match >> > 0x2eMARK set 0xa >> > Chain INPUT (policy ACCEPT) >> > target prot opt source destination >> > Chain FORWARD (policy ACCEPT) >> > target prot opt source destination >> > Chain OUTPUT (policy ACCEPT) >> > target prot opt source destination >> > MARK all -- anywhere anywhere DSCP >> match >> > 0x2eMARK set 0xa >> > Chain POSTROUTING (policy ACCEPT) >> > target prot opt source destination >> > >> > # tcpdump -i eth2 >> > tcpdump: verbose output suppressed, use -v or -vv for full >> protocol decode >> > listening on eth2, link-type EN10MB (Ethernet), capture size >> 65535 bytes >> > 01:07:43.492130 IP 169.254.0.70 > 169.254.1.70 >> <http://169.254.1.70 <http://169.254.1.70/>>: >> >> > ICMP echo request, id 27015, seq 1, length 64 >> > 01:07:43.492162 IP 169.254.1.70 > 169.254.0.70 >> <http://169.254.0.70 <http://169.254.0.70/>>: >> >> > ICMP echo reply, id 27015, seq 1, length 64 >> > 01:07:44.491104 IP 169.254.0.70 > 169.254.1.70 >> <http://169.254.1.70 <http://169.254.1.70/>>: >> >> > ICMP echo request, id 27015, seq 2, length 64 >> > 01:07:44.491140 IP 169.254.1.70 > 169.254.0.70 >> <http://169.254.0.70 <http://169.254.0.70/>>: >> >> > ICMP echo reply, id 27015, seq 2, length 64 >> > >> > Could you please let me know if there is anything more I need to >> do? The >> > above works fine only when dscp is set to BE. >> > >> > Thanks and regards, >> > Meera >> > > ==============================**==============================**========== > Andreas Steffen [email protected] > strongSwan - the Linux VPN Solution! www.strongswan.org > Institute for Internet Technologies and Applications > University of Applied Sciences Rapperswil > CH-8640 Rapperswil (Switzerland) > ==============================**=============================[**ITA-HSR]== >
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
