[strongSwan] rightsubnet overlap

John Brown jb20141125 at gmail.com
Thu Aug 24 21:43:52 CEST 2017

Hi Noel,
I did not understand your answer, sorry.

But i did some experiments in the afternoon and I think I think I was
able to achieve what I want. I'm going to check this more deeply next
I did only one thing to get this to work:
- disable charon to install the routes (install_routes=no in
strongswan.conf) and add the routes manualy in the bash shell after
the tunnel was established (i am going to automate this by updown
There is one route for one tunnel and each route has the same network
prefix but metric is different. It looks that this works as expected.
There is no problem in adding kernel policy as far as each tunnel use
different virtual ip.

I'm worried that when using updown script for that I will not be able
to get the source interface which is needed to create the route (ip
route add table 220 metric 10 dev eth0 src but
hopefully I will come up with some solution.

Is this your idea or you were providing different solution?
Best regards,

2017-08-24 17:23 GMT+02:00, Noel Kuntze
<noel.kuntze+strongswan-users-ml at thermi.consulting>:
> Routes can and will not work. They only work, if for anything, if they
> recommend a local source address for the route. Maybe you can do something
> with manualy priorities in swanctl.conf
> to make sure the priorities are different and one tunnel is preferred over
> another. That will only work, if the SPs of the failed tunnel are removed
> when it fails. Other than that, you can use marks
> and then check in the next rule if there's a matching policy and accept the
> packet, if there is. Marking packets is non-terminating, so you can do that
> for how many tunnels you want. Again, it will only
> work if the SPs of a failed tunnel are removed when it fails.
> On 24.08.2017 14:07, Dusan Ilic wrote:
>> With iptables you can set marks on traffic and that way decide which
>> tunnel to use. Automatic switch will not be supported, unless you write a
>> script that checka the health of the current actively tunnel and then
>> change mark.
>> Probably traditional routes can work better.
>> ---- John Brown skrev ----
>> Hi Dusan,
>> The solution you propose is also promising, thank you! But I do not get
>> one thing. How can I use iptables to decide which tunnel should be used to
>> send the traffic? Would your solution provide automatic switchover in case
>> of preffered tunnel is going down and maybe up again (for example, many
>> failure scenarios are possible)?
>> Best regards,
>> John
>> 2017-08-24 13:24 GMT+02:00 Dusan Ilic <dusan at comhem.se
>> <mailto:dusan at comhem.se>>:
>>     Hi John,
>>     You dont need route based for this, you can setup two tunnels with
>> same rightsubnet and use different marks. By applying these marks with
>> iptables you choose which tunnel to send the traffic to.
>>     Vti (and maybe libipsec) is however cleaner solution, cause the vti
>> puts the mark on all packets routed out that interface, so standard
>> routing logic can be used instead. Not sure about libipsec though, i think
>> you will have to use iptables marking then too.
>>     ---- John Brown skrev ----
>>     Thank you very much for an advice. It looks interesting but also adds
>> significant complexity to the solution. Did you find route based VPN
>> working for rightsubnet overlap scenario?
>>     I'm going to try this probably but with libipsec rather that vti
>> devices (kernel too old for vti). As far as I understand the solution
>> you've proposed I can add priorities to the tunnels by adding a metrics to
>> routes (and prefer conn1 over conn2). Am I correct?
>>     Best regards,
>>     John
>>     2017-08-24 11:34 GMT+02:00 Vincent Bernat <bernat at luffy.cx
>> <mailto:bernat at luffy.cx>>:
>>          ❦ 24 août 2017 11:27 +0200 <tel:+0200>, John Brown
>> <jb20141125 at gmail.com <mailto:jb20141125 at gmail.com>> :
>>         > I'm searching the net but cannot find reliable answer for
>> problem:
>>         >
>>         > Is this possible in strongswan to have two connections with the
>> same
>>         > rightsubnet entry and prefer one connection over another?
>>         >
>>         > For example:
>>         >
>>         > ...
>>         >
>>         > conn1
>>         >     ...
>>         >     rightsubnet= <>
>>         >
>>         > conn2
>>         >     ...
>>         >     rightsubnet= <>
>>         >
>>         >
>>         > and in ideal scenario both conns are up but conn1 is used for
>> tx/rx
>>         > encrypted traffic when possible, conn2 only in case of lack of
>> conn1.
>>         One solution is to use routes to divert traffic to one of the
>> tunnel or
>>         the other:
>> https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
>> <https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN>
>>         --
>>         Use self-identifying input.  Allow defaults.  Echo both on
>> output.
>>                     - The Elements of Programming Style (Kernighan &
>> Plauger)

More information about the Users mailing list