[strongSwan] rightsubnet overlap

Dusan Ilic dusan at comhem.se
Thu Aug 24 14:07:47 CEST 2017


With iptables you can set marks on traffic and that way decide which tunnel to use. Automatic switch will not be supported, unless you write a script that checka the health of the current actively tunnel and then change mark.

Probably traditional routes can work better.

---- John Brown skrev ----

>Hi Dusan,
>The solution you propose is also promising, thank you! But I do not get one
>thing. How can I use iptables to decide which tunnel should be used to send
>the traffic? Would your solution provide automatic switchover in case of
>preffered tunnel is going down and maybe up again (for example, many
>failure scenarios are possible)?
>
>Best regards,
>John
>
>
>2017-08-24 13:24 GMT+02:00 Dusan Ilic <dusan at comhem.se>:
>
>> Hi John,
>>
>> You dont need route based for this, you can setup two tunnels with same
>> rightsubnet and use different marks. By applying these marks with iptables
>> you choose which tunnel to send the traffic to.
>>
>> Vti (and maybe libipsec) is however cleaner solution, cause the vti puts
>> the mark on all packets routed out that interface, so standard routing
>> logic can be used instead. Not sure about libipsec though, i think you will
>> have to use iptables marking then too.
>>
>> ---- John Brown skrev ----
>>
>>
>> Thank you very much for an advice. It looks interesting but also adds
>> significant complexity to the solution. Did you find route based VPN
>> working for rightsubnet overlap scenario?
>>
>> I'm going to try this probably but with libipsec rather that vti devices
>> (kernel too old for vti). As far as I understand the solution you've
>> proposed I can add priorities to the tunnels by adding a metrics to routes
>> (and prefer conn1 over conn2). Am I correct?
>>
>> Best regards,
>> John
>>
>> 2017-08-24 11:34 GMT+02:00 Vincent Bernat <bernat at luffy.cx>:
>>
>>>  ❦ 24 août 2017 11:27 +0200, John Brown <jb20141125 at gmail.com> :
>>>
>>> > I'm searching the net but cannot find reliable answer for problem:
>>> >
>>> > Is this possible in strongswan to have two connections with the same
>>> > rightsubnet entry and prefer one connection over another?
>>> >
>>> > For example:
>>> >
>>> > ...
>>> >
>>> > conn1
>>> >     ...
>>> >     rightsubnet=10.10.0.0/16
>>> >
>>> > conn2
>>> >     ...
>>> >     rightsubnet=10.10.0.0/16
>>> >
>>> >
>>> > and in ideal scenario both conns are up but conn1 is used for tx/rx
>>> > encrypted traffic when possible, conn2 only in case of lack of conn1.
>>>
>>> One solution is to use routes to divert traffic to one of the tunnel or
>>> the other:
>>>  https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
>>> --
>>> Use self-identifying input.  Allow defaults.  Echo both on output.
>>>             - The Elements of Programming Style (Kernighan & Plauger)
>>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170824/36318db8/attachment-0001.html>


More information about the Users mailing list