[strongSwan] rightsubnet overlap
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Aug 24 17:23:26 CEST 2017
Routes can and will not work. They only work, if for anything, if they recommend a local source address for the route. Maybe you can do something with manualy priorities in swanctl.conf
to make sure the priorities are different and one tunnel is preferred over another. That will only work, if the SPs of the failed tunnel are removed when it fails. Other than that, you can use marks
and then check in the next rule if there's a matching policy and accept the packet, if there is. Marking packets is non-terminating, so you can do that for how many tunnels you want. Again, it will only
work if the SPs of a failed tunnel are removed when it fails.
On 24.08.2017 14:07, Dusan Ilic wrote:
> With iptables you can set marks on traffic and that way decide which tunnel to use. Automatic switch will not be supported, unless you write a script that checka the health of the current actively tunnel and then change mark.
>
> Probably traditional routes can work better.
>
> ---- John Brown skrev ----
>
> Hi Dusan,
> The solution you propose is also promising, thank you! But I do not get one thing. How can I use iptables to decide which tunnel should be used to send the traffic? Would your solution provide automatic switchover in case of preffered tunnel is going down and maybe up again (for example, many failure scenarios are possible)?
>
> Best regards,
> John
>
>
> 2017-08-24 13:24 GMT+02:00 Dusan Ilic <dusan at comhem.se <mailto:dusan at comhem.se>>:
>
> Hi John,
>
> You dont need route based for this, you can setup two tunnels with same rightsubnet and use different marks. By applying these marks with iptables you choose which tunnel to send the traffic to.
>
> Vti (and maybe libipsec) is however cleaner solution, cause the vti puts the mark on all packets routed out that interface, so standard routing logic can be used instead. Not sure about libipsec though, i think you will have to use iptables marking then too.
>
> ---- John Brown skrev ----
>
>
> Thank you very much for an advice. It looks interesting but also adds significant complexity to the solution. Did you find route based VPN working for rightsubnet overlap scenario?
>
> I'm going to try this probably but with libipsec rather that vti devices (kernel too old for vti). As far as I understand the solution you've proposed I can add priorities to the tunnels by adding a metrics to routes (and prefer conn1 over conn2). Am I correct?
>
> Best regards,
> John
>
> 2017-08-24 11:34 GMT+02:00 Vincent Bernat <bernat at luffy.cx <mailto:bernat at luffy.cx>>:
>
> ❦ 24 août 2017 11:27 +0200 <tel:+0200>, John Brown <jb20141125 at gmail.com <mailto:jb20141125 at gmail.com>> :
>
> > I'm searching the net but cannot find reliable answer for problem:
> >
> > Is this possible in strongswan to have two connections with the same
> > rightsubnet entry and prefer one connection over another?
> >
> > For example:
> >
> > ...
> >
> > conn1
> > ...
> > rightsubnet=10.10.0.0/16 <http://10.10.0.0/16>
> >
> > conn2
> > ...
> > rightsubnet=10.10.0.0/16 <http://10.10.0.0/16>
> >
> >
> > and in ideal scenario both conns are up but conn1 is used for tx/rx
> > encrypted traffic when possible, conn2 only in case of lack of conn1.
>
> One solution is to use routes to divert traffic to one of the tunnel or
> the other:
> https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN <https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN>
> --
> Use self-identifying input. Allow defaults. Echo both on output.
> - The Elements of Programming Style (Kernighan & Plauger)
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20170824/df909ce3/attachment.sig>
More information about the Users
mailing list