[strongSwan] Redundant connections with charon

Vonlanthen, Elmar Elmar.Vonlanthen at united-security-providers.ch
Thu Nov 18 11:18:13 CET 2010 

Hello all

I have the following setup:

+--------------+                  +--------------+
| chgut1 wan a +---| internet |---+ wan a chgut2 |
|        wan b +---|          |---+ wan b        |
+--------------+                  +--------------+

And I want transport connections between:
- wan a1 and wan a2
- wan a1 and wan b2
- wan b1 and wan a2
- wan b1 and wan b2

In ipsec.conf it looks like this (test environment):
conn chgut2_aa
	left=10.10.10.2
	leftnexthop=10.10.10.254
	right=10.10.20.3
	authby=secret
	type=transport
	auto=start

conn chgut2_ab
	left=10.10.10.2
	leftnexthop=10.10.10.254
	right=10.100.20.3
	authby=secret
	type=transport
	auto=start


conn chgut2_ba
	left=10.100.10.2
	leftnexthop=10.100.10.254
	right=10.10.20.3
	authby=secret
	type=transport
	auto=start

conn chgut2_bb
	left=10.100.10.2
	leftnexthop=10.100.10.254
	right=10.100.20.3
	authby=secret
	type=transport
	auto=start


The purpose is to setup redundant gre tunnels and ospf routing on top of
it.
         
I know, with pluto/ikev1 it is not possible (expect if I use two ip
addresses per wan link).              

With charon/ikev2 I'm not sure if it is possible.

The connections can be established, but when I check ipsec status, I see
that for each conncection the same ip pair was used (wan a1 to wan a2):

root at chgut1fw01 / # ipsec status
Security Associations:
   chgut2_aa[1]: ESTABLISHED 4 minutes ago,
10.10.10.2[10.10.10.2]...10.10.20.3[10.10.20.3]
   chgut2_aa{1}:  INSTALLED, TRANSPORT, ESP SPIs: c73608bc_i c68861ed_o
   chgut2_aa{1}:   10.10.10.2/32 === 10.10.20.3/32 
   chgut2_ab[2]: ESTABLISHED 4 minutes ago,
10.10.10.2[10.10.10.2]...10.10.20.3[10.100.20.3]
   chgut2_ab{2}:  INSTALLED, TRANSPORT, ESP SPIs: c0bdb69c_i c0f5fc56_o
   chgut2_ab{2}:   10.10.10.2/32 === 10.10.20.3/32 
   chgut2_ba[3]: ESTABLISHED 4 minutes ago,
10.10.10.2[10.100.10.2]...10.10.20.3[10.10.20.3]
   chgut2_ba{3}:  INSTALLED, TRANSPORT, ESP SPIs: c0e58056_i cb9956d0_o
   chgut2_ba{3}:   10.10.10.2/32 === 10.10.20.3/32 
   chgut2_bb[4]: ESTABLISHED 4 minutes ago,
10.10.10.2[10.100.10.2]...10.10.20.3[10.100.20.3]
   chgut2_bb{4}:  INSTALLED, TRANSPORT, ESP SPIs: c0d459f3_i cb9b7edf_o
   chgut2_bb{4}:   10.10.10.2/32 === 10.10.20.3/32

Is my setup not possible?

I am using strongswan 4.5.0 with kernel 2.6.29.2.

Thanks for any help.

Best regards
Elmar
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5248 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20101118/441b3824/attachment.bin>

More information about the Users mailing list