Hi I need to add something: I got one step further: If I DO NOT ADD "mark=1" but "mark_out=1" and I add that firewall rule on both sides, it works. (I am not sure, this was the right step; at this point I am on trial and error...)
But as soon as I widen the networks (first step to 10.0.0.0/8, later to
0.0.0.0/0), things break. I am not sure why, but I thinks the reason are the
3 SA generated by strongswan:
src 10.0.0.0/8 dst 10.0.0.0/8 uid 0
dir fwd action allow index 330 priority 1987 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-05-13 20:24:18 use -
tmpl src 10.5.0.2 dst 10.5.0.1
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.0.0.0/8 dst 10.0.0.0/8 uid 0
dir in action allow index 320 priority 1987 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-05-13 20:24:18 use -
tmpl src 10.5.0.2 dst 10.5.0.1
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 10.0.0.0/8 dst 10.0.0.0/8 uid 0
dir out action allow index 313 priority 1987 share any flag
(0x00000000)
lifetime config:
limit: soft (INF)(bytes), hard (INF)(bytes)
limit: soft (INF)(packets), hard (INF)(packets)
expire add: soft 0(sec), hard 0(sec)
expire use: soft 0(sec), hard 0(sec)
lifetime current:
0(bytes), 0(packets)
add 2012-05-13 20:24:18 use -
mark 1/0xffffffff
tmpl src 10.5.0.1 dst 10.5.0.2
proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
level required share any
enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
I understand the last one, it is the one used when sending and it has the
mark.
I also think I understand the second one: I think it is used for incoming
packets.
However I don't know what the first one is for...
On the other hand, I could delete the first using
ip xfrm policy delete src 10.0.0.0/8 dst 10.0.0.0/8 dir fwd
That didn't change anything, still no pings.. Not even encrypted from
gatewayA to gatewayB.
Any hints?
Best regards again,
Steffen
> -----Ursprüngliche Nachricht-----
> Von: [email protected]
> [mailto:[email protected]] Im
> Auftrag von Steffen Heil (Mailinglisten)
> Gesendet: Sonntag, 13. Mai 2012 21:05
> An: [email protected]
> Betreff: [strongSwan] Problems with connections using mark
>
> Hi everybody.
>
>
> I have the following setup:
>
> 10.1.1.0/24 ---(eth1) gatewayA (eth0) --- (eth0) gateway (eth1) ---
> 10.2.1.0/24
>
> The ipsec.conf on gatewayA is the following:
>
> # /etc/ipsec.conf - strongSwan IPsec configuration file
>
> config setup
> plutostart=no
>
> conn %default
> ikelifetime=60m
> keylife=20m
> rekeymargin=3m
> keyingtries=1
> authby=secret
> keyexchange=ikev2
> mobike=no
>
> conn net-net
> left=10.5.0.1
> leftsubnet=10.1.1.0/24
> leftid=@a
> leftfirewall=yes
> right=10.5.0.2
> rightsubnet=10.2.1.0/24
> rightid=@b
> auto=add
>
> That works well: I can ping from 10.1.1.2 to 10.2.1.2 and the packets
between
> the gateways are encrypted.
> However that is only a simple setup, to implement my real scenario, I need
to
> use 0.0.0.0/0 as leftsubnet/rightsubnet and use marks.
> So I started keeping the networks unchanged and only added mark=1 to
> both sides for conn net-net. (Planing to replace the subnets with
0.0.0.0/0
> later.)
>
> Then I could not ping any more, which was expected. So I added a firewall
> rule to gatewayA:
>
> iptables -t mangle -A PREROUTING -s 10.1.1.0/24 -d 10.2.1.0/24 -j MARK --
> set-mark 1
>
> Now, the ping gets encrypted and sent to gatewayB. However gatewayB
> does not seem to process it.
> At least it is not forwarded to 10.2.1.2 any more.
>
> Am I missing something?
> (Note, it worked before adding "mark=1", so it must have something to do
> with that...)
>
> I am grateful for any hint.
>
>
> Best regards,
> Steffen
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
