[strongSwan] Tunnels with dynamic IP and another route issue

Dusan Ilic dusan at comhem.se
Wed Apr 26 17:03:43 CEST 2017

I need load distribution and policy routing  just dont cut it,its to static.
All Ipsec connections are configured in ipsec.conf to use vlsn847 interface for incoming connections (left) which means Strongswan always use that route as initiatiator and responder, only problem is that Strongswan also default to this interface for forwarding vpn clients out the Internet,  even though the multipath route in Linux says otherwise.

So the issue seem to lay within Strongswan defaulting to the same interface as incoming connections for forwarding traffic. I will try the workarounds suggested earlier and see if that does any difference. Thank you.

---- Martin Willi skrev ----

>> How exactly do these kind of kind of multipath routes compare to
>> multiple routes with different priorities/metrics?  In your case you
>> have multiple paths with the same weight, how is the actual
>> nexthop/interface chosen by the kernel?
>The nexthop of a multipath route is selected randomly considering its
>weight, based on a hash of the packet address to keep flows on the same
>path. With multiple routes with a priority, only the route with the
>lowest priority is used.
>When used with IPsec, these multipath routes get somewhat
>unpredictable; the route lookup for the unencrypted traffic yields a
>route, but the IPsec policy used may be configured to use the outer
>tunnel source address of a different interface, depending on where the
>tunnel was established over.
>In short, multipath routes won't work very well with strongSwan as-is.
>If you don't need load sharing, use multiple distinct routes with
>different priorities. If you want to share load, you may consider using
>policy based routing, for example using marks. But be warned, this then
>gets close to rocket science.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170426/c6e7202f/attachment.html>

More information about the Users mailing list