tszephay Field
2017-05-19 13:13:34 UTC
Hi, guys, sorry for my bother.
I have read the wiki page <Route-based VPNs> (
https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN), and I
noticed this sentence:
* Whenever a packet is routed to a VTI device it automatically gets the
configured mark applied so it will match the policy and get tunneled.*
So I built a test case to confirm this feature. The topology looked like
this:
pc1 pc2 pc3
tunnel
eth0 ------------- eth1 - eth2 ------ eth3
vti1
I want to ping eth3 from eth0. The ipsec tunnel built between eth0 and
eth1. vti1 is of course set up on pc2 with mark.
I created route on pc2 like this:
ip rule add dev vti1 table 1
ip route add default dev eth2 table 1
ip rule add dev eth2 table 2
ip route add default dev vti1 table 2
Now, It worked well just like I thought except for only one thing:* I can
capture the Echo-Reply packet on vti1 from eth3*, but to my surprise, it
was dropped at once. If I understood that sentence correctly, the packet
should get the mark, match the policy and then get tunneled to eth0.
"ip -s tunnel" shows that there are some TX errors on vti1, and the reason
is *NoRoute**.*
I really do not know why the route is needed at this point if vti1 bind the
CHILD_SA.
The version is 5.4.0
Any suggestion is welcome.
I have read the wiki page <Route-based VPNs> (
https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN), and I
noticed this sentence:
* Whenever a packet is routed to a VTI device it automatically gets the
configured mark applied so it will match the policy and get tunneled.*
So I built a test case to confirm this feature. The topology looked like
this:
pc1 pc2 pc3
tunnel
eth0 ------------- eth1 - eth2 ------ eth3
vti1
I want to ping eth3 from eth0. The ipsec tunnel built between eth0 and
eth1. vti1 is of course set up on pc2 with mark.
I created route on pc2 like this:
ip rule add dev vti1 table 1
ip route add default dev eth2 table 1
ip rule add dev eth2 table 2
ip route add default dev vti1 table 2
Now, It worked well just like I thought except for only one thing:* I can
capture the Echo-Reply packet on vti1 from eth3*, but to my surprise, it
was dropped at once. If I understood that sentence correctly, the packet
should get the mark, match the policy and then get tunneled to eth0.
"ip -s tunnel" shows that there are some TX errors on vti1, and the reason
is *NoRoute**.*
I really do not know why the route is needed at this point if vti1 bind the
CHILD_SA.
The version is 5.4.0
Any suggestion is welcome.