[strongSwan] Multi WAN routing HOWTO ?

Anton warm at stack.ru
Tue Apr 17 09:16:14 CEST 2012


I have an task about fault tolerant vpn connections. I decide to use strongswan ipsec for building tunnels. Now I can
not make good enough solution with channel reservation.

For example there are two private subnets which must be connected through the Internet - two offices which of them has
2 connections to the Internet. One(c1) connection is basic and other is reserve one(c2). First idea was to make
faultless link between the subnets:

 - to make two vpns: basic-to-basic and reserve-to-reserve
 - both vpns are always on
 - inside this vpns there are two simple tunnels which look like ip-interfaces fro linux (ipip or gre)
 - on a top of ipip(gre) should be ran some dynamic routing (bgp or ospf) which handles all channel fault and subnet
   routing on ipip tunnels.

Limitations are: double tunnel incapsulation ; need for quagga (bgp or ospd) ; too many entities

Second idea was like the first but without ipip-tunnel. We need to set up vpns with correct policies (both with
subnets description) and run quagga on some policied addresess. Also we should disable routes on table 220 by
strongswan - instead of routing table 220 we shoulg get correct routing from quagga in main table.

Limitations are: need for quagga (bgp or ospd) ; need to write some basic routing by hands for qiaggas can connect ; too
many entities ...


All above is only theory. I did not check this yet. I would like to ask help with this task, maybe some one did this
before in more simple way ?


May be strongswan can do it by it self ? For example make basic connection and when dead peer is detected try to start
and work second (reserve) vpn. After basic vpn (vpn on basic channel) will work again switch off reserve vpn and
start working on basic vpn. Is it possible ?


-- 
Anton [WARM-RIPE]
Stack ltd division head
tel. 8 (3822) 555-797



More information about the Users mailing list