Community discussions

MUM Europe 2020
 
dominicbatty
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 91
Joined: Wed Jul 07, 2010 12:26 pm

Routing Marks in Output Chain for IPSEC

Mon Feb 07, 2011 7:07 pm

Hi, I'm just after a little bit of help regarding a routing problem I have.

I have two connections to the internet via gateways 1.1.1.1 (on interface I-A) and 2.2.2.2 (on interface I-B) and I have two IP routes as follows

0.0.0.0/0 to 1.1.1.1 bound to routing-mark="R-A"
0.0.0.0/0 to 2.2.2.2 bound to routing-mark="R-B"

Using mangle rules in the INPUT chain I mark all incoming connections on interface "I-A" with connection-mark="C-A" and all incoming connections on interface "I-B" with connection-mark="C-B".

I then have mangle rules in the OUTPUT chain that mark connections with connection-mark="C-A" with routing-mark="R-A" and connections with connection-mark="C-B" with routing-mark="R-B".

If I ping the IP address of the router associated with interface "I-A" from an external point then this responds correctly and I get a reply and if I disable the OUTPUT chain rule marking "C-A" connections with routing-mark="R-A" then the ping is dropped so the OUTPUT chain is correctly marking the packets and the routing-mark is having an effect and routing correctly by picking up the correct route.

What I don't understand is that incoming L2TP connections from my remote router do not have the same results.

I can only get these to work if I have the default route on the router (without any connection mark binding) pointing to the gateway the L2TP/IPSEC packets are arriving on. i.e. they appear to be skipping the OUTPUT chain routing-mark logic and defaulting to the default gateway.

Would anyone be able to try and explain this problem for me. I assume it's something weird with the L2TP connections.

Many thanks, Dominic.
 
dominicbatty
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 91
Joined: Wed Jul 07, 2010 12:26 pm

Re: Routing Marks in Output Chain for IPSEC

Mon Feb 21, 2011 10:31 am

Just for information, whatever was causing this problem was still apparent in v5.0rc9 but has been solved with v5.0rc10

Cheers, Dom.

Who is online

Users browsing this forum: Google [Bot], omidkosari and 129 guests