[strongSwan] overlapping redundant subnets

Martin Willi martin at strongswan.org
Wed Apr 3 11:09:19 CEST 2013

Hi Patrick,

> So I want to have each box provide it's own subnet, and then a larger
> subnet which encompasses the other IPsec gateway. This way traffic
> will take the shortest route to each remote subnet, but if an IPsec
> gateway goes down, the traffic will route through the remaining
> gateway.

So this means that on a box you have two tunnels with an identical IPsec
policy? If yes: Please be aware that the Linux kernel can't handle
identical policies (how should it pick the correct one?). Therefore
strongSwan uses some refcounting logic to install only one of them, but
this means that only one of the tunnels can be used actively.

If you need two identical tunnels with a failover mechanism, you'll have
to assign Netfilter marks to the connections. This allows strongSwan to
install identical policies (with different marks) in the kernel. Your
packets then have to be tagged with the correct mark before they hit
IPsec policy lookup. strongSwan currently does not provide such a
mechanism, so you'll have to create and update these rules yourselves.

> However I am occasionally experiencing issues where when the main IKE SA
> reauthenticates, the tunnel sometimes goes dead until the child SA
> reauthenticates.

The reauthentication behavior of strongSwan shows interruptions of
traffic flow, and there is not much you can do about it. Do you really
have a need for reauthentication from a security perspective? Probably
not if you have the preshared key in ipsec.secrets. I'd try to switch to
IKE_SA rekeying by using reauth=no, which can solve a lot of problems.

> I've played with a ton of different ways of configuring this, but a
> separate "conn" section for each tunnel seems to be the only way which
> it works. Trying things like putting all the subnets in a single "conn"
> using a comma-delimited "left/rightsubnet" ends up creating a single
> tunnel to the /16 subnet.

Having all subnets in a single CHILD_SA creates a full mesh between all
sunbets in leftsubnet and rightsubnet. If you have separate conn
sections, you'll get different CHILD_SAs, and of course no full mesh
between them.

> I've also tried setting 'reuse_ikesa = no', which results in the same
> behavior.

This just means that each CHILD_SA initiated to a peer will use its own


More information about the Users mailing list