strongSwan KVM Tests / ikev2 / net2net-psk-dscp

Test ikev2/net2net-psk-dscp

Description

In order to support Differentiated Services (DiffServ), two parallel IPsec connections between the subnets behind the gateways moon and sun are set up. Using XFRM marks one IPsec SA is designated for Best Effort (BE) traffic and the second SA for Expedited Forwarding (EF) traffic.

The authentication is based on a pre-shared key (PSK). In order to guarantee that the CHILD_SA with the correct mark is selected on the responder side, each CHILD_SA is bound to an IKE_SA of its own with a distinct IKEv2 ID but sharing the same PSK.

Upon the successful establishment of the IPsec tunnel, the updown script automatically inserts iptables-based firewall rules that let pass the tunneled traffic In order to test both tunnel and firewall, client alice behind gateway moon pings client bob located behind gateway sun.

alice venus moon winnetou sun bob

moon

 

sun

 

tcpdump