Project

General

Profile

Issue #3327

Control tunnel priorities based on destination ip in an active-active setup

Added by Guy Or 8 months ago. Updated 8 months ago.

Status:
Feedback
Priority:
Normal
Assignee:
-
Category:
configuration
Affected version:
5.8.2
Resolution:

Description

Hi,

I am trying to establish an interconnection where our side has one VPN GW running strongswan and remote side has 2 physical sites with 2 Gateways.

Basically we have 2 IPs that communicate with 2 IPs on their side and we establish 2 tunnels.
When both tunnels are up, all the traffic to RemoteIp1 should go through tunnel 1 and traffic to RemoteIp2 through tunnel 2.
Only when one tunnel goes down, does all the traffic goes through the tunnel that remains active.

My config is as follows:

conn conn1
        left=MyVpnGW
        leftid=MyVpnGW
        leftsubnet=MyIp1,MyIp2
        leftfirewall=yes
        right=RemoteVpnGw1
        rightid=RemoteVpnGw1
        rightsubnet=RemoteIp1,RemoteIp2
        auto=start
        keyexchange=ikev2
        authby=secret
        ike=aes256-sha1-modp2048!
        ikelifetime=86400s
        esp=aes256-sha1,aes256gcm128!
        keylife=3600s
conn conn2
        left=MyVpnGW
        leftid=MyVpnGW
        leftsubnet=MyIp1,MyIp2
        leftfirewall=yes
        right=RemoteVpnGw2
        rightid=RemoteVpnGw2
        rightsubnet=RemoteIp1,RemoteIp2
        auto=start
        keyexchange=ikev2
        authby=secret
        ike=aes256-sha1-modp2048!
        ikelifetime=86400s
        esp=aes256-sha1,aes256gcm128!
        keylife=3600s

As you can see RemoteIp 1 and 2 are reachable over both connections but when both connections are active,
I want egress traffic to RemoteIp1 to go only through conn1 and likewise for RemoteIp2 and conn2.
By the way both tunnels are already established but the CHILD_SA being used is always the last one to be created.

I honestly don't know how to make that happen and if it's possible at all and would appreciate your insight on this.

Thanks,
Guy

History

#1 Updated by Tobias Brunner 8 months ago

  • Tracker changed from Feature to Issue
  • Status changed from New to Feedback
  • Start date deleted (31.01.2020)
  • Affected version set to 5.8.2

If you use swanctl.conf you can configure the priority for CHILD_SAs/policies (set a lower value than the default so a particular one is used by the kernel).

#2 Updated by Guy Or 8 months ago

Tobias Brunner wrote:

If you use swanctl.conf you can configure the priority for CHILD_SAs/policies (set a lower value than the default so a particular one is used by the kernel).

Thanks Tobias, seems it's what I'm looking for.

Just to clarify is the setting you are referring to - connections.<conn>.children.<child>.priority ?
As I understand by defining the connection in ipsec.conf the <conn> and <child> sections have the same name, as per https://wiki.strongswan.org/projects/strongswan/wiki/Fromipsecconf

#3 Updated by Tobias Brunner 8 months ago

Just to clarify is the setting you are referring to - connections.<conn>.children.<child>.priority ?

Yes.

As I understand by defining the connection in ipsec.conf the <conn> and <child> sections have the same name, as per https://wiki.strongswan.org/projects/strongswan/wiki/Fromipsecconf

Basically. But the legacy interface actually merged connections together, so multiple conn sections in ipsec.conf could get merged as separate CHILD_SA configs (<child>) into the same IKE config (<conn>). Wouldn't be the case here, though, because the remote IPs are different.

Also available in: Atom PDF