Page 1 of 1

Routing Marks in Output Chain for IPSEC

Posted: Mon Feb 07, 2011 7:07 pm
by dominicbatty
Hi, I'm just after a little bit of help regarding a routing problem I have.

I have two connections to the internet via gateways (on interface I-A) and (on interface I-B) and I have two IP routes as follows to bound to routing-mark="R-A" to bound to routing-mark="R-B"

Using mangle rules in the INPUT chain I mark all incoming connections on interface "I-A" with connection-mark="C-A" and all incoming connections on interface "I-B" with connection-mark="C-B".

I then have mangle rules in the OUTPUT chain that mark connections with connection-mark="C-A" with routing-mark="R-A" and connections with connection-mark="C-B" with routing-mark="R-B".

If I ping the IP address of the router associated with interface "I-A" from an external point then this responds correctly and I get a reply and if I disable the OUTPUT chain rule marking "C-A" connections with routing-mark="R-A" then the ping is dropped so the OUTPUT chain is correctly marking the packets and the routing-mark is having an effect and routing correctly by picking up the correct route.

What I don't understand is that incoming L2TP connections from my remote router do not have the same results.

I can only get these to work if I have the default route on the router (without any connection mark binding) pointing to the gateway the L2TP/IPSEC packets are arriving on. i.e. they appear to be skipping the OUTPUT chain routing-mark logic and defaulting to the default gateway.

Would anyone be able to try and explain this problem for me. I assume it's something weird with the L2TP connections.

Many thanks, Dominic.

Re: Routing Marks in Output Chain for IPSEC

Posted: Mon Feb 21, 2011 10:31 am
by dominicbatty
Just for information, whatever was causing this problem was still apparent in v5.0rc9 but has been solved with v5.0rc10

Cheers, Dom.