Sorry, I didn't realize that I was replying only to you and not the list. I upgraded my kernel to 3.10 and now it is working correctly. Thank you for your help.
On Tue, May 19, 2015 at 3:10 PM, Justin Michael Schwartzbeck <[email protected]> wrote: > Hi Noel, I upgraded my kernel to 3.10 and now it is working > correctly. Thank you for your help. > > On Tue, May 19, 2015 at 11:08 AM, Noel Kuntze <[email protected]> wrote: >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA256 >> >> Hello Justin, >> >> The team discerned that the "mark" feature for XFRM policies was first >> introduced >> in the Linux kernel release 2.6.34. So the kernel on your host is too old to >> use that feature. >> >> Mit freundlichen Grüßen/Kind Regards, >> Noel Kuntze >> >> GPG Key ID: 0x63EC6658 >> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 >> >> Am 19.05.2015 um 17:54 schrieb Justin Michael Schwartzbeck: >>> Strongswan version: >>> Linux strongSwan U5.3.0/K2.6.32-279.el6.x86_64 >>> Institute for Internet Technologies and Applications >>> University of Applied Sciences Rapperswil, Switzerland >>> See 'ipsec --copyright' for copyright information. >>> >>> Kernel: >>> 2.6.32-279.el6.x86_64 >>> >>> ipsec statusall: >>> Status of IKE charon daemon (strongSwan 5.3.0, Linux >>> 2.6.32-279.el6.x86_64, x86_64): >>> uptime: 16 hours, since May 18 22:46:17 2015 >>> malloc: sbrk 270336, mmap 0, used 233936, free 36400 >>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, >>> scheduled: 4 >>> loaded plugins: charon aes eap-gtc eap-radius des rc2 sha1 sha2 md5 >>> random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 >>> pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr >>> kernel-netlink resolve socket-default stroke updown eap-identity >>> eap-tls xauth-generic >>> Listening IP addresses: >>> 10.10.1.191 >>> 192.168.1.9 >>> Connections: >>> router1: 192.168.1.9...192.168.1.2 IKEv2 >>> router1: local: uses EAP_GTC authentication with EAP identity 'eapid' >>> router1: remote: [192.168.1.2] uses public key authentication >>> router1: cert: "CN=cn, O=o" >>> router1: child: dynamic === 80.254.145.88/32 TUNNEL >>> router3: 192.168.1.9...192.168.1.4 IKEv2 >>> router3: local: uses EAP_GTC authentication with EAP identity 'eapid' >>> router3: remote: [192.168.1.4] uses public key authentication >>> router3: cert: "CN=cn, O=o" >>> router3: child: dynamic === 80.254.145.88/32 TUNNEL >>> router2: 192.168.1.9...192.168.1.3 IKEv2 >>> router2: local: uses EAP_GTC authentication with EAP identity 'eapid' >>> router2: remote: [192.168.1.3] uses public key authentication >>> router2: cert: "CN=cn, O=o" >>> router2: child: dynamic === 80.254.145.88/32 TUNNEL >>> Security Associations (2 up, 0 connecting): >>> router2[13]: ESTABLISHED 2 hours ago, >>> 192.168.1.9[192.168.1.9]...192.168.1.3[192.168.1.3] >>> router2[13]: IKEv2 SPIs: 12c2f546b0e9ba43_i* 47ceac579461a781_r, EAP >>> reauthentication in 7 minutes >>> router2[13]: IKE proposal: 3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 >>> router2{49}: INSTALLED, TUNNEL, reqid 13, ESP SPIs: cff86d4e_i 56feaee4_o >>> router2{49}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying >>> in 18 minutes >>> router2{49}: 192.168.1.9/32 === 80.254.145.88/32 >>> router1[12]: ESTABLISHED 2 hours ago, >>> 192.168.1.9[192.168.1.9]...192.168.1.2[192.168.1.2] >>> router1[12]: IKEv2 SPIs: 57b4b5ec79269b0a_i* 38863975d51e3008_r, EAP >>> reauthentication in 4 minutes >>> router1[12]: IKE proposal: 3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024 >>> router1{48}: INSTALLED, TUNNEL, reqid 12, ESP SPIs: c22dd9fe_i 1f26b790_o >>> router1{48}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying >>> in 16 minutes >>> router1{48}: 192.168.1.9/32 === 80.254.145.88/32 >>> >>> Output of ip -s xfrm policy: >>> src 80.254.145.88/32 dst 192.168.1.9/32 uid 0 >>> dir fwd action allow index 2402 priority 2819 ptype main share any >>> flag (0x00000000) >>> lifetime config: >>> limit: soft (INF)(bytes), hard (INF)(bytes) >>> limit: soft (INF)(packets), hard (INF)(packets) >>> expire add: soft 0(sec), hard 0(sec) >>> expire use: soft 0(sec), hard 0(sec) >>> lifetime current: >>> 0(bytes), 0(packets) >>> add 2015-05-19 15:26:25 use - >>> tmpl src 192.168.1.3 dst 192.168.1.9 >>> proto esp spi 0x00000000(0) reqid 15(0x0000000f) mode tunnel >>> level required share any >>> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff >>> src 80.254.145.88/32 dst 192.168.1.9/32 uid 0 >>> dir in action allow index 2392 priority 2819 ptype main share any >>> flag (0x00000000) >>> lifetime config: >>> limit: soft (INF)(bytes), hard (INF)(bytes) >>> limit: soft (INF)(packets), hard (INF)(packets) >>> expire add: soft 0(sec), hard 0(sec) >>> expire use: soft 0(sec), hard 0(sec) >>> lifetime current: >>> 0(bytes), 0(packets) >>> add 2015-05-19 15:26:25 use - >>> tmpl src 192.168.1.3 dst 192.168.1.9 >>> proto esp spi 0x00000000(0) reqid 15(0x0000000f) mode tunnel >>> level required share any >>> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff >>> src 192.168.1.9/32 dst 80.254.145.88/32 uid 0 >>> dir out action allow index 2385 priority 2819 ptype main share any >>> flag (0x00000000) >>> lifetime config: >>> limit: soft (INF)(bytes), hard (INF)(bytes) >>> limit: soft (INF)(packets), hard (INF)(packets) >>> expire add: soft 0(sec), hard 0(sec) >>> expire use: soft 0(sec), hard 0(sec) >>> lifetime current: >>> 0(bytes), 0(packets) >>> add 2015-05-19 15:26:25 use - >>> tmpl src 192.168.1.9 dst 192.168.1.3 >>> proto esp spi 0x00000000(0) reqid 15(0x0000000f) mode tunnel >>> level required share any >>> enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff >>> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 >>> dir 3 action allow index 2067 priority 0 ptype main share any flag >>> (0x00000000) >>> lifetime config: >>> limit: soft 0(bytes), hard 0(bytes) >>> limit: soft 0(packets), hard 0(packets) >>> expire add: soft 0(sec), hard 0(sec) >>> expire use: soft 0(sec), hard 0(sec) >>> lifetime current: >>> 0(bytes), 0(packets) >>> add 2015-05-18 22:46:17 use 2015-05-19 15:26:25 >>> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 >>> dir 4 action allow index 2060 priority 0 ptype main share any flag >>> (0x00000000) >>> lifetime config: >>> limit: soft 0(bytes), hard 0(bytes) >>> limit: soft 0(packets), hard 0(packets) >>> expire add: soft 0(sec), hard 0(sec) >>> expire use: soft 0(sec), hard 0(sec) >>> lifetime current: >>> 0(bytes), 0(packets) >>> add 2015-05-18 22:46:17 use 2015-05-19 15:26:25 >>> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 >>> dir 3 action allow index 2051 priority 0 ptype main share any flag >>> (0x00000000) >>> lifetime config: >>> limit: soft 0(bytes), hard 0(bytes) >>> limit: soft 0(packets), hard 0(packets) >>> expire add: soft 0(sec), hard 0(sec) >>> expire use: soft 0(sec), hard 0(sec) >>> lifetime current: >>> 0(bytes), 0(packets) >>> add 2015-05-18 22:46:17 use 2015-05-19 15:26:25 >>> src 0.0.0.0/0 dst 0.0.0.0/0 uid 0 >>> dir 4 action allow index 2044 priority 0 ptype main share any flag >>> (0x00000000) >>> lifetime config: >>> limit: soft 0(bytes), hard 0(bytes) >>> limit: soft 0(packets), hard 0(packets) >>> expire add: soft 0(sec), hard 0(sec) >>> expire use: soft 0(sec), hard 0(sec) >>> lifetime current: >>> 0(bytes), 0(packets) >>> add 2015-05-18 22:46:17 use 2015-05-19 15:26:25 >>> src ::/0 dst ::/0 uid 0 >>> dir 3 action allow index 2035 priority 0 ptype main share any flag >>> (0x00000000) >>> lifetime config: >>> limit: soft 0(bytes), hard 0(bytes) >>> limit: soft 0(packets), hard 0(packets) >>> expire add: soft 0(sec), hard 0(sec) >>> expire use: soft 0(sec), hard 0(sec) >>> lifetime current: >>> 0(bytes), 0(packets) >>> add 2015-05-18 22:46:17 use - >>> src ::/0 dst ::/0 uid 0 >>> dir 4 action allow index 2028 priority 0 ptype main share any flag >>> (0x00000000) >>> lifetime config: >>> limit: soft 0(bytes), hard 0(bytes) >>> limit: soft 0(packets), hard 0(packets) >>> expire add: soft 0(sec), hard 0(sec) >>> expire use: soft 0(sec), hard 0(sec) >>> lifetime current: >>> 0(bytes), 0(packets) >>> add 2015-05-18 22:46:17 use - >>> src ::/0 dst ::/0 uid 0 >>> dir 3 action allow index 2019 priority 0 ptype main share any flag >>> (0x00000000) >>> lifetime config: >>> limit: soft 0(bytes), hard 0(bytes) >>> limit: soft 0(packets), hard 0(packets) >>> expire add: soft 0(sec), hard 0(sec) >>> expire use: soft 0(sec), hard 0(sec) >>> lifetime current: >>> 0(bytes), 0(packets) >>> add 2015-05-18 22:46:17 use - >>> src ::/0 dst ::/0 uid 0 >>> dir 4 action allow index 2012 priority 0 ptype main share any flag >>> (0x00000000) >>> lifetime config: >>> limit: soft 0(bytes), hard 0(bytes) >>> limit: soft 0(packets), hard 0(packets) >>> expire add: soft 0(sec), hard 0(sec) >>> expire use: soft 0(sec), hard 0(sec) >>> lifetime current: >>> 0(bytes), 0(packets) >>> add 2015-05-18 22:46:17 use - >>> >>> Output at startup: >>> May 19 15:46:16 client-138-01 charon: 00[DMN] Starting IKE charon >>> daemon (strongSwan 5.3.0, Linux 2.6.32-279.el6.x86_64, x86_64) >>> May 19 15:46:16 client-138-01 charon: 00[CFG] no RADIUS secret defined >>> May 19 15:46:16 client-138-01 charon: 00[CFG] loading ca certificates >>> from '<path to cert>' >>> May 19 15:46:16 client-138-01 charon: 00[CFG] loaded ca certificate >>> "C=US, ST=California, L=San Jose, O=o, OU=SBG-SCO, CN=Cisco" from >>> '<path to cert>' >>> May 19 15:46:16 client-138-01 charon: 00[CFG] ca certificate "CN=cn, >>> O=o" lacks ca basic constraint, discarded >>> May 19 15:46:16 client-138-01 charon: 00[CFG] loaded ca certificate >>> "C=US, ST=California, L=San Jose, O=o, OU=SBG-SCO, CN=Cisco" from >>> '<path to cert>' >>> May 19 15:46:16 client-138-01 charon: 00[CFG] ca certificate >>> "CN=172.16.1.2, O=o" lacks ca basic constraint, discarded >>> May 19 15:46:16 client-138-01 charon: 00[CFG] loaded ca certificate >>> "C=US, ST=California, L=San Jose, O=o, OU=SBG-SCO, CN=Cisco" from >>> '<path to cert>' >>> May 19 15:46:16 client-138-01 charon: 00[CFG] loaded ca certificate >>> "C=US, ST=California, L=San Jose, O=o, OU=SBG-SCO, CN=Cisco" from >>> '<path to cert>' >>> May 19 15:46:16 client-138-01 charon: 00[CFG] loading aa certificates >>> from '<path to cert>' >>> May 19 15:46:16 client-138-01 charon: 00[CFG] loading ocsp signer >>> certificates from '<path to cert>' >>> May 19 15:46:16 client-138-01 charon: 00[CFG] loading attribute >>> certificates from '<path to cert>' >>> May 19 15:46:16 client-138-01 charon: 00[CFG] loading crls from '<path to >>> crl>' >>> May 19 15:46:16 client-138-01 charon: 00[CFG] loading secrets from >>> '/etc/ipsec.secrets' >>> May 19 15:46:16 client-138-01 charon: 00[CFG] loaded EAP secret for >>> 9PZ0FWZ53LB::ISR::15.5(20150320:193940)::20 >>> May 19 15:46:16 client-138-01 charon: 00[LIB] loaded plugins: charon >>> aes eap-gtc eap-radius des rc2 sha1 sha2 md5 random nonce x509 >>> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey >>> sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve >>> socket-default stroke updown eap-identity eap-tls xauth-generic >>> May 19 15:46:16 client-138-01 charon: 00[JOB] spawning 16 worker threads >>> May 19 15:46:16 client-138-01 charon: 05[CFG] received stroke: add >>> connection 'router1' >>> May 19 15:46:16 client-138-01 charon: 05[CFG] loaded certificate >>> "CN=cn, O=o" from '<path to cert>' >>> May 19 15:46:16 client-138-01 charon: 05[CFG] added configuration 'router1' >>> May 19 15:46:16 client-138-01 charon: 07[CFG] received stroke: add >>> connection 'router3' >>> May 19 15:46:16 client-138-01 charon: 07[CFG] loaded certificate >>> "CN=cn, O=o" from '<path to cert>' >>> May 19 15:46:16 client-138-01 charon: 07[CFG] added configuration 'router3' >>> May 19 15:46:16 client-138-01 charon: 09[CFG] received stroke: add >>> connection 'router2' >>> May 19 15:46:16 client-138-01 charon: 09[CFG] loaded certificate >>> "CN=cn, O=o" from '<path to cert>' >>> May 19 15:46:16 client-138-01 charon: 09[CFG] added configuration 'router2' >>> >>> >>> >>> On Tue, May 19, 2015 at 10:08 AM, Noel Kuntze <[email protected]> >>> wrote: >>>> >>> Hello Justin, >>> >>> I have the following questions: >>> >>> What strongSwan version do you use? >>> What kernel version do you use? >>> What is the output of "ipsec statusall", when both tunnels are up? >>> What is the output of "ip -s xfrm policy"? >>> Do you have a log of the start of strongswan, so we can see if the parser >>> picks it up? >>> >>> Also, please only set mark_out. >>> Otherwise, you also have to apply the mark in *mangle INPUT (or PREROUTING), >>> so the kernel decapsulates the packets. >>> >>> It seems as the kernel either does know mark values as part of XFRM policies >>> or the parser does not pick it up. >>> >>> Mit freundlichen Grüßen/Kind Regards, >>> Noel Kuntze >>> >>> GPG Key ID: 0x63EC6658 >>> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658 >>> >>> Am 19.05.2015 um 16:34 schrieb Justin Michael Schwartzbeck: >>> >>> Hello, >>> >>> >>> >>> I was following another thread where it was explained how to use the >>> >>> iptables MARK target in order to select which tunnel to send traffic >>> >>> through when I have multiple tunnels up on a peer. It was said that if >>> >>> you set the "mark" value in ipsec.conf for each tunnel, then you can >>> >>> mark your traffic using iptables and it will go through the tunnel >>> >>> that has the same mark. I will describe here my situation and then >>> >>> show you my configuration. >>> >>> >>> >>> I have three machines, two routers and one client. On the client I am >>> >>> using strongswan as the vpn client. When I start strongswan I am able >>> >>> to connect to both router1 and router2 over vpn using strongswan. On >>> >>> my client I have router1 configured with "mark=12" and router2 >>> >>> configured with "mark=13." I use iptables to mark all outgoing tcp >>> >>> traffic with either 12 or 13. However, when I send traffic, say HTTP >>> >>> traffic, then all of the traffic is just routed through the last >>> >>> tunnel that I brought up (i.e. if I bring up router1 and then router2, >>> >>> then it is routed through router2, and vice versa). It is like the >>> >>> connection marking is not even being recognized. >>> >>> >>> >>> Here is my configuration: >>> >>> >>> >>> conn router1 >>> >>> keyexchange=ikev2 >>> >>> ike=3des-md5-modp1024 >>> >>> esp=aes256-sha >>> >>> left=192.168.1.9 >>> >>> leftid=%any >>> >>> leftauth=eap-gtc >>> >>> rightcert=<path to cert> >>> >>> right=192.168.1.2 >>> >>> rightsubnet=80.254.145.88/32 >>> >>> eap_identity=<eap identity 1> >>> >>> mark=12 >>> >>> auto=add >>> >>> type=tunnel >>> >>> >>> >>> conn router2 >>> >>> keyexchange=ikev2 >>> >>> ike=3des-md5-modp1024 >>> >>> esp=aes256-sha >>> >>> left=192.168.1.9 >>> >>> leftid=%any >>> >>> leftauth=eap-gtc >>> >>> rightcert=<path to cert> >>> >>> right=192.168.1.3 >>> >>> rightsubnet=80.254.145.88/32 >>> >>> eap_identity=<eap identity 2> >>> >>> mark=13 >>> >>> auto=add >>> >>> type=tunnel >>> >>> >>> >>> Here are the iptables commands I am using. For router 1: >>> >>> iptables -t mangle -A OUTPUT -j MARK --set-mark 12 >>> >>> >>> >>> And for router 2: >>> >>> iptables -t mangle -A OUTPUT -j MARK --set-mark 13 >>> >>> >>> >>> Any help would be appreciated. >>> >>> Thanks, >>> >>> Justin >>> >>> _______________________________________________ >>> >>> Users mailing list >>> >>> [email protected] >>> >>> https://lists.strongswan.org/mailman/listinfo/users >>> >>>> >> >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v2 >> >> iQIcBAEBCAAGBQJVW2AQAAoJEDg5KY9j7GZYtGoP/1ce+at0tTLi4eTyKv9Imfl1 >> qfTY+77f9zRMeTioJ75hdPx1XUYXi6WGBTMOOqc5fK/Ng790wfCrHyi3HSKZARIu >> 5zqbOv9W4YU6i7nGIvAadwGDF9ZzhwbT8HmaIMvqySisFgmFy6C9nuFKJde4pTCw >> CM+m2u5gPF0hfImvaaDhmPa747vfGP1TzvMbXvrSbQ1RCor5H4TIHypMaSYqiKbd >> uAYEjve6siO3Bx97tarl71QxoYFGEsRBB5R3IgDYTtosxzdwxZG5JZcG2T8pXlAH >> PPmAjni5lvsmG7ST++eqgdG5O/Icfsf5/hVJSOEClhZAnYxTYFkQhLJ8hfHzYB4V >> COsNr6C+X8gkJbU0geyjGa9F4xEa9Q36a/sQeffAJEnj4g4vLD9iRsXLmJZiefJ9 >> vRnIojhSH9yBYZWI4CaH+aKg2cUEuJNM8vDUd+D3XVmIBut6qdYkf6FJFJ7EnuY0 >> aCoiWv4jIBUb1sNuLVO8h7KM2NWJN3PkMYo4GtfYD2wP+B3JWRkS9dzyFUIgPo9J >> X1Y3sucEeoEQSekU7WzMotmHpVJ23MfaGcZn6kt9V8cdZqCf52iDA8h4B+Vaq2Wq >> dWld9HwEu5sJIbIx4BFL9i58kg60fu1ODNbddtiomNelIZwtMt3ygZl9/pYj/E2N >> d0nCr4cEDbE/M9unJFCs >> =B2x0 >> -----END PGP SIGNATURE----- >> _______________________________________________ Users mailing list [email protected] https://lists.strongswan.org/mailman/listinfo/users
