[strongSwan] rightsubnet overlap

John Brown jb20141125 at gmail.com
Thu Aug 24 13:11:30 CEST 2017


Thank you very much for an advice. It looks interesting but also adds
significant complexity to the solution. Did you find route based VPN
working for rightsubnet overlap scenario?

I'm going to try this probably but with libipsec rather that vti devices
(kernel too old for vti). As far as I understand the solution you've
proposed I can add priorities to the tunnels by adding a metrics to routes
(and prefer conn1 over conn2). Am I correct?

Best regards,
John

2017-08-24 11:34 GMT+02:00 Vincent Bernat <bernat at luffy.cx>:

>  ❦ 24 août 2017 11:27 +0200, John Brown <jb20141125 at gmail.com> :
>
> > I'm searching the net but cannot find reliable answer for problem:
> >
> > Is this possible in strongswan to have two connections with the same
> > rightsubnet entry and prefer one connection over another?
> >
> > For example:
> >
> > ...
> >
> > conn1
> >     ...
> >     rightsubnet=10.10.0.0/16
> >
> > conn2
> >     ...
> >     rightsubnet=10.10.0.0/16
> >
> >
> > and in ideal scenario both conns are up but conn1 is used for tx/rx
> > encrypted traffic when possible, conn2 only in case of lack of conn1.
>
> One solution is to use routes to divert traffic to one of the tunnel or
> the other:
>  https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
> --
> Use self-identifying input.  Allow defaults.  Echo both on output.
>             - The Elements of Programming Style (Kernighan & Plauger)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170824/cd7e0df3/attachment.html>


More information about the Users mailing list