<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
I'm trying to accomplish a setup where I have a remote network which
has 2 IPsec gateways on the same LAN. Each is on a different subnet,
but each gateway can get to the other's subnet. So I want to have
each box provide it's own subnet, and then a larger subnet which
encompasses the other IPsec gateway. This way traffic will take the
shortest route to each remote subnet, but if an IPsec gateway goes
down, the traffic will route through the remaining gateway.<br>
<br>
However I am occasionally experiencing issues where when the main
IKE SA reauthenticates, the tunnel sometimes goes dead until the
child SA reauthenticates. I've played with a ton of different ways
of configuring this, but a separate "conn" section for each tunnel
seems to be the only way which it works. Trying things like putting
all the subnets in a single "conn" using a comma-delimited
"left/rightsubnet" ends up creating a single tunnel to the /16
subnet. I've also tried setting 'reuse_ikesa = no', which results in
the same behavior.<br>
Is this unsupported, or am I doing something incorrect? If this
should be working I can post any relevant logs. If not, well bugger.<br>
<br>
<br>
Details:<br>
Local subnet is 10.230.16.0/20<br>
Remote subnets are 10.145.16.0/20 and 10.145.32.0/20.<br>
I have this configured and running using a different "conn" section
in ipsec.conf for each combination of the local and remote subnets.<br>
<br>
To complicate matters even further, I'm actually trying to do a mesh
topology with another pair of gateway servers (sitting on subnets
10.230.16.0/20 and 10.230.32.0/20). So there's a ton of tunnels
going around. (10.230.16.0/20 <=> 10.145.16.0/20,
10.230.16.0/20 <=> 10.145.32.0/20, 10.230.16.0/20 <=>
10.145.0.0/16, 10.230.32.0/20 <=> 10.145.16.0/20, ...).
However for troubleshooting purposes I've removed the other hosts
from the ipsec.conf so that there is only 1 remote host.<br>
<br>
<img src="cid:part1.07030006.03050105@stormcloud9.net" alt=""><br>
( <a class="moz-txt-link-freetext" href="http://s22.postimg.org/bxb8r5r0x/network.png">http://s22.postimg.org/bxb8r5r0x/network.png</a> )<br>
<br>
This is all to link multiple regions and networks in Amazon's EC2.
So because this is EC2, each box is also sitting behind NAT.<br>
<br>
All servers are "Linux strongSwan U4.5.2/K3.2.0-36-virtual" (Ubuntu
12.04.1 LTS)<br>
<br>
<br>
Example config section (they're all identical except for the left*
and right* params):<br>
<br>
config setup<br>
uniqueids="keep"<br>
nocrsend="yes"<br>
nat_traversal="yes"<br>
keep_alive="60"<br>
crlcheckinterval="0"<br>
strictcrlpolicy="no"<br>
<br>
conn %default<br>
rekeyfuzz="100%"<br>
keyingtries="0"<br>
leftsendcert="always"<br>
dpddelay="30"<br>
dpdtimeout="120"<br>
dpdaction="restart"<br>
<br>
conn d1781a205c4f9450ff35bce4e265fbc9<br>
authby="psk"<br>
auto="start"<br>
compress="no"<br>
esp="aes256-md5"<br>
ike="aes256-md5-modp1536"<br>
ikelifetime="7800"<br>
keyexchange="ike"<br>
keylife="3600"<br>
left="10.145.1.10"<br>
leftid="107.23.229.33"<br>
leftsubnet="10.145.32.0/20"<br>
pfs="no"<br>
rekeymargin="540"<br>
right="107.23.198.23"<br>
rightid="107.23.198.23"<br>
rightsubnet="10.230.16.0/20"<br>
type="tunnel"<br>
<br>
<br>
<br>
-Patrick<br>
<br>
<br>
</body>
</html>