[strongSwan] Can you prioritize routes?

Michael Schwartzkopff ms at sys4.de
Sun Sep 11 21:58:01 CEST 2022


On 11.09.22 19:34, VTwin Farriers wrote:
> 4 sites, A B, C and D. A B and C are in a "star topology" where they all have links to one another.
>
> Only B and C can connect to D, A cannot connect directly to D, it must go through B or C.
>
>
> /- B -\
> /   ^   \
> A -<    |    >- D
> \   v   /
> \- C -/
>
>
>
> I added D to the local_ts on B and C for A's configuration and to A's remote_ts configuration, so a connection to D would be available on the off chance the connection to either B or C should drop
>
> This works fine, except it seems connections to machines on the D network will drop randomly, anywhere from a minute to as long as 5 minutes.
>
> It only happens if I have the route to D exposed to A through both B and C at the same time.
>
> I assume what is happening are packets are going over one connection from A (to say B) at some point, but then get routed over the other connection (e.g. C) at some point, resulting in what appears to the remote system on D as a dropped connection since the packet(s) for the connection aren't coming from B any longer.
>
> Is there a way to set a "priority" on redundant paths within a swanctl.conf file? That is, can I tell A to use B's path to get to D first, unless it is down for some reason, in which case use C? For example, through a route metric?
>
> When I examine the route table on A, the route to D through B and C both have the same metric.
>
> Adding routes manually you can choose to set a metric so there is a preferred path (e.g. the route with the lower metric) but I do not see any type of ability within strongswan to say "give the path to D through B a metric of 100 and through C a metric of 200"
>
>
>

Hi,


this sounds like a problem that needs route based VPNs in contrast to 
(traditional) policy based VPNs. With route based VPNs you can add 
dynamic routing like BGP. For details see:


https://blog.sys4.de/routing-based-vpn-with-strongswan-de.html

https://blog.sys4.de/routing-based-vpn-with-strongswan-ii-de.html


Mit freundlichen Grüßen,

-- 

[*] sys4 AG
  
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
  
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein



More information about the Users mailing list