[strongSwan] Tunnels with dynamic IP and another route issue

Martin Willi martin at strongswan.org
Wed Apr 26 08:26:51 CEST 2017


> How exactly do these kind of kind of multipath routes compare to
> multiple routes with different priorities/metrics?  In your case you
> have multiple paths with the same weight, how is the actual
> nexthop/interface chosen by the kernel?

The nexthop of a multipath route is selected randomly considering its
weight, based on a hash of the packet address to keep flows on the same
path. With multiple routes with a priority, only the route with the
lowest priority is used.

When used with IPsec, these multipath routes get somewhat
unpredictable; the route lookup for the unencrypted traffic yields a
route, but the IPsec policy used may be configured to use the outer
tunnel source address of a different interface, depending on where the
tunnel was established over.

In short, multipath routes won't work very well with strongSwan as-is.
If you don't need load sharing, use multiple distinct routes with
different priorities. If you want to share load, you may consider using
policy based routing, for example using marks. But be warned, this then
gets close to rocket science.


More information about the Users mailing list