site to site routed tunnels using Strongswan VTI. Marking
In the past I've configured few site to site GRE tunnels. But now i'm need to configure VTI type tunnel, because AWS VPC supports only that.
Everything is quite clear, according Strongswan documentation: we need to use MARKs when creating the tunnel: https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN to identify which traffic should be tunneled. One mark is on ipsec.conf and other one is specified when creating the vti tunnel:
$IP link add ${VTI_INTERFACE} type vti local ${PLUTO_ME} remote ${PLUTO_PEER} okey ${PLUTO_MARK_OUT_ARR[0]} ikey ${PLUTO_MARK_IN_ARR[0]}
$IP addr add ${VTI_LOCALADDR} remote ${VTI_REMOTEADDR} dev ${VTI_INTERFACE}
$IP link set ${VTI_INTERFACE} up mtu 1436
And this works. But lots of other guides show that we need to create some entries in iptables with the same marks:
$IPTABLES -t mangle -I INPUT -p esp -s ${PLUTO_PEER} -d ${PLUTO_ME} -j MARK --set-xmark ${PLUTO_MARK_IN}
it's very interesting - it's really necessary ? in site-to-site VTI configuration ? Because i see that everything is working without this mangle entry. Why others is using it ? Thanks
It probably was necessary before strongSwan 5.5.2. Earlier versions always set the mark on inbound SAs, so traffic had to be marked to match it, even though the tuple of IP, SPI and protocol is usually unique enough to properly identify an SA (if for some reason that's not the case, the mark may optionally be set again on the inbound SA since strongSwan 5.6.1).