[strongSwan] VPN load balancing?
Martin Willi
martin at strongswan.org
Mon Jul 4 09:28:55 CEST 2011
Hi,
>
> I want to setup two VPN same time and load balacing in site B. How can
> I solve this problem?
Our High Availability solution [1] can do load sharing, but only using
multiple SAs (it can't share a single SA to two nodes). If you split up
up your LAN on one side to multiple subnets, these SAs can be shared
over your cluster.
Another solution without HA is to set up a connection with the same
subnets on both gateways, but with different firewall marks. But you
then have to manually implement load balancing using some iptables
rules. It might be a good idea to keep TCP flows on the same gateway (to
avoid packet reordering), so using the source/destination address and/or
ports might be an option. Assign a mark to each packet on the flow to
select a tunnel to use. An example how the use marks and set them with
iptables (but not in the context of load sharing) can be found at [2].
Regards
Martin
[1]http://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability
[2]http://www.strongswan.org/uml/testresults/ikev2/rw-mark-in-out/index.html
More information about the Users
mailing list