[strongSwan] overlapping redundant subnets

Patrick Hemmer strongswan at stormcloud9.net
Wed Apr 3 00:20:41 CEST 2013 

I'm trying to accomplish a setup where I have a remote network which has
2 IPsec gateways on the same LAN. Each is on a different subnet, but
each gateway can get to the other's subnet. So I want to have each box
provide it's own subnet, and then a larger subnet which encompasses the
other IPsec gateway. This way traffic will take the shortest route to
each remote subnet, but if an IPsec gateway goes down, the traffic will
route through the remaining gateway.

However I am occasionally experiencing issues where when the main IKE SA
reauthenticates, the tunnel sometimes goes dead until the child SA
reauthenticates. I've played with a ton of different ways of configuring
this, but a separate "conn" section for each tunnel seems to be the only
way which it works. Trying things like putting all the subnets in a
single "conn" using a comma-delimited "left/rightsubnet" ends up
creating a single tunnel to the /16 subnet. I've also tried setting
'reuse_ikesa = no', which results in the same behavior.
Is this unsupported, or am I doing something incorrect? If this should
be working I can post any relevant logs. If not, well bugger.


Details:
Local subnet is 10.230.16.0/20
Remote subnets are 10.145.16.0/20 and 10.145.32.0/20.
I have this configured and running using a different "conn" section in
ipsec.conf for each combination of the local and remote subnets.

To complicate matters even further, I'm actually trying to do a mesh
topology with another pair of gateway servers (sitting on subnets
10.230.16.0/20 and 10.230.32.0/20). So there's a ton of tunnels going
around. (10.230.16.0/20 <=> 10.145.16.0/20, 10.230.16.0/20 <=>
10.145.32.0/20, 10.230.16.0/20 <=> 10.145.0.0/16, 10.230.32.0/20 <=>
10.145.16.0/20, ...). However for troubleshooting purposes I've removed
the other hosts from the ipsec.conf so that there is only 1 remote host.


( http://s22.postimg.org/bxb8r5r0x/network.png )

This is all to link multiple regions and networks in Amazon's EC2. So
because this is EC2, each box is also sitting behind NAT.

All servers are "Linux strongSwan U4.5.2/K3.2.0-36-virtual" (Ubuntu
12.04.1 LTS)


Example config section (they're all identical except for the left* and
right* params):

config setup
  uniqueids="keep"
  nocrsend="yes"
  nat_traversal="yes"
  keep_alive="60"
  crlcheckinterval="0"
  strictcrlpolicy="no"

conn %default
  rekeyfuzz="100%"
  keyingtries="0"
  leftsendcert="always"
  dpddelay="30"
  dpdtimeout="120"
  dpdaction="restart"

conn d1781a205c4f9450ff35bce4e265fbc9
  authby="psk"
  auto="start"
  compress="no"
  esp="aes256-md5"
  ike="aes256-md5-modp1536"
  ikelifetime="7800"
  keyexchange="ike"
  keylife="3600"
  left="10.145.1.10"
  leftid="107.23.229.33"
  leftsubnet="10.145.32.0/20"
  pfs="no"
  rekeymargin="540"
  right="107.23.198.23"
  rightid="107.23.198.23"
  rightsubnet="10.230.16.0/20"
  type="tunnel"



-Patrick


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130402/1b015512/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: jcfhjeda.png
Type: image/png
Size: 40828 bytes
Desc: not available
URL: <http://lists.strongswan.org/pipermail/users/attachments/20130402/1b015512/attachment.png>

More information about the Users mailing list