[strongSwan] [SUSPECT EMAIL: No Reputation] Re: multiple tunnels

Modster, Anthony Anthony.Modster at Teledyne.com
Wed May 3 19:24:07 CEST 2017


Hello Noel

We are using two interfaces at once from same host to the same secure gateway.
root at wglng-6:~# ip route show
10.64.64.64 dev ppp0  proto kernel  scope link  src 166.204.4.61 
192.168.1.0/24 dev eth1.13  proto kernel  scope link  src 192.168.1.134
Note: I did not show interfaces that are not applicable

Both tunnels are up and were able to ping and send data thru the tunnels.
root at wglng-6:~# swanctl --list-sas
sgateway1-radio0: #2, ESTABLISHED, IKEv2, 08173d8797a410eb_i* 5fa1f29dce075fd4_r
  local  'RA00006 at Teledyne.com' @ 166.204.4.61[4500] [20.20.20.9]
  remote 'C=CA, O=Carillon Information Security Inc., OU=TEST, OU=Devices, OU=Aircraft Operator Ground Stations, OU=Teledyne Controls, CN=ELS-VPAPP-WGL08 - ID' @ 76.232.248.210[4500]
  AES_CBC-256/HMAC_SHA2_512_256/PRF_HMAC_SHA1/ECP_256
  established 922s ago, rekeying in 43s, reauth in 2455s
  sgateway1-radio0: #4, reqid 2, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/HMAC_SHA1_96
    installed 336s ago, rekeying in 211s, expires in 325s
    in  c2e01069,   1320 bytes,    33 packets,     6s ago
    out e1c27d5f,   1452 bytes,    33 packets,     6s ago
    local  20.20.20.9/32
    remote 10.100.20.15/32
sgateway1-gldl: #1, ESTABLISHED, IKEv2, 00989cc440834937_i* 5e3c5e4b5c1ec4cf_r
  local  'RA00006 at Teledyne.com' @ 192.168.1.134[4500] [20.20.20.8]
  remote 'C=CA, O=Carillon Information Security Inc., OU=TEST, OU=Devices, OU=Aircraft Operator Ground Stations, OU=Teledyne Controls, CN=ELS-VPAPP-WGL08 - ID' @ 76.232.248.210[4500]
  AES_CBC-256/HMAC_SHA2_512_256/PRF_HMAC_SHA1/ECP_256
  established 1049s ago, rekeying in 150s, reauth in 2257s
  sgateway1-gldl: #3, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/HMAC_SHA1_96
    installed 469s ago, rekeying in 104s, expires in 191s
    in  c45db512,   1880 bytes,    47 packets,     6s ago
    out 77309eef,   2068 bytes,    47 packets,     6s ago
    local  20.20.20.8/32
    remote 10.100.20.15/32

strongswan creates the following in table 220
root at wglng-6:~# ip route show table 220
10.100.20.15 via 192.168.1.1 dev eth1.13  proto static  src 20.20.20.8

When we bring down eth1.13, the tunnel for ppp0 becomes unusable.

We think the problem is that ppp0 does not have a via in table 220.
Also, we currently are not using a custom updown script.

If you need more information, let me know.

Thanks

-----Original Message-----
From: Noel Kuntze [mailto:noel.kuntze+strongswan-users-ml at thermi.consulting] 
Sent: Wednesday, May 03, 2017 7:33 AM
To: Modster, Anthony <Anthony.Modster at Teledyne.com>; users at lists.strongswan.org
Subject: [SUSPECT EMAIL: No Reputation] Re: [strongSwan] multiple tunnels

Hello Anthony,

On 03.05.2017 06:57, Modster, Anthony wrote:
>  
>
> ? how to setup ipsec policy
>
>  
>
> We want to use multiple tunnels on separate interfaces on the same host to one secure gateway.
>
>  
>
> The secure gateway only has one external IP address.
>

Depends on your exact requirements. You need to elaborate on this.

Kind regards,
Noel

-- 
Noel Kuntze
IT security consultant

GPG Key ID: 0x0739AD6C
Fingerprint: 3524 93BE B5F7 8E63 1372 AF2D F54E E40B 0739 AD6C




More information about the Users mailing list