[strongSwan] rightsubnet overlap

John Brown jb20141125 at gmail.com
Thu Aug 24 13:59:46 CEST 2017 

Hi Dusan,
The solution you propose is also promising, thank you! But I do not get one
thing. How can I use iptables to decide which tunnel should be used to send
the traffic? Would your solution provide automatic switchover in case of
preffered tunnel is going down and maybe up again (for example, many
failure scenarios are possible)?

Best regards,
John


2017-08-24 13:24 GMT+02:00 Dusan Ilic <dusan at comhem.se>:

> Hi John,
>
> You dont need route based for this, you can setup two tunnels with same
> rightsubnet and use different marks. By applying these marks with iptables
> you choose which tunnel to send the traffic to.
>
> Vti (and maybe libipsec) is however cleaner solution, cause the vti puts
> the mark on all packets routed out that interface, so standard routing
> logic can be used instead. Not sure about libipsec though, i think you will
> have to use iptables marking then too.
>
> ---- John Brown skrev ----
>
>
> Thank you very much for an advice. It looks interesting but also adds
> significant complexity to the solution. Did you find route based VPN
> working for rightsubnet overlap scenario?
>
> I'm going to try this probably but with libipsec rather that vti devices
> (kernel too old for vti). As far as I understand the solution you've
> proposed I can add priorities to the tunnels by adding a metrics to routes
> (and prefer conn1 over conn2). Am I correct?
>
> Best regards,
> John
>
> 2017-08-24 11:34 GMT+02:00 Vincent Bernat <bernat at luffy.cx>:
>
>>  ❦ 24 août 2017 11:27 +0200, John Brown <jb20141125 at gmail.com> :
>>
>> > I'm searching the net but cannot find reliable answer for problem:
>> >
>> > Is this possible in strongswan to have two connections with the same
>> > rightsubnet entry and prefer one connection over another?
>> >
>> > For example:
>> >
>> > ...
>> >
>> > conn1
>> >     ...
>> >     rightsubnet=10.10.0.0/16
>> >
>> > conn2
>> >     ...
>> >     rightsubnet=10.10.0.0/16
>> >
>> >
>> > and in ideal scenario both conns are up but conn1 is used for tx/rx
>> > encrypted traffic when possible, conn2 only in case of lack of conn1.
>>
>> One solution is to use routes to divert traffic to one of the tunnel or
>> the other:
>>  https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
>> --
>> Use self-identifying input.  Allow defaults.  Echo both on output.
>>             - The Elements of Programming Style (Kernighan & Plauger)
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170824/0fc739e7/attachment.html>

More information about the Users mailing list