strongSwan KVM Tests / ikev2 / rw-mark-in-out
Test ikev2/rw-mark-in-outDescriptionThe roadwarriors alice and venus sitting behind the router moon set up tunnels to gateway sun. Since both roadwarriors possess the same 10.1.0.0/25 subnet, gateway sun uses Source NAT after ESP decryption to map these subnets to 10.3.0.10 and 10.3.0.20, respectively.In order to differentiate between the tunnels to alice and venus, respectively, XFRM marks are defined for both the inbound and outbound IPsec SAs and policies using the mark_in and mark_out options. With the set_mark_in option, the corresponding mark is applied to the inbound packets after decryption. Return traffic is marked via iptables -t mangle rules in the PREROUTING chain. In order to test the tunnel, the hosts alice and venus ping the client bob behind the gateway sun. alicevenussuntcpdump |