[strongSwan] Redundant network connections - messed up SAs
Dahlberg, David
david.dahlberg at fkie.fraunhofer.de
Thu Nov 28 09:31:53 CET 2013
Am Donnerstag, den 28.11.2013, 00:03 +0100 schrieb Steffen Heise:
> As I do not know, which network the partner choses to use, I have to
> use %any for the left= parameter. (There are more than two networks in
> reality so I try to avoid configuring every interface separately).
> As I do not know which partner tries to connect, I have to use %any
> for the right= parameter too. (same thing, more hosts in reality)
I suppose your problem has to do with multiple matching IPsec policies,
their orders and priorities, but the other people here are problably
more experienced in debugging this scenario, than me.
What I wanted to remark is that in such a scenario, it might be a good
idea to configure /32 (for IPv4) address to the loopback interface of
the service providers, which is being routed from both sides.
That way you'll have redundancy without having to try to connect to two
distinct IP addresses and additionally you may be able to better
distinguish incoming connections (being addressed to the loopback IP)
from outgoing connections (being sent from the interface IPs).
Regards
David
--
David Dahlberg
Fraunhofer FKIE, Dept. Communication Systems (KOM) | Tel: +49-228-9435-845
Fraunhoferstr. 20, 53343 Wachtberg, Germany | Fax: +49-228-856277
More information about the Users
mailing list