[Openswan Users] Re: 2 NICs(in a single host) to 1 NIC ipsec tenneling concurrently

Fri May 14 18:45:17 CEST 2004

On Fri, 14 May 2004, Nate Carlson wrote:

> On Fri, 14 May 2004, yi min wrote:
> > I hope to connect from VPN Box A" to VPN Box B" with using two ipsec
> > tunnels concurrently.
> > 
> > but In spite of configuring as below structure and ipsec configurations,
> > unfortunately I can not success
> > 
> > if i try to connect GRE connection, first of all i think to be able to
> > use GRE after successing in IPsec Tunneling
> > 
> > I wanna know about the methods of dual(redundant)ipsec tunnels from each
> > others 2 NIC of a VPN Box A" to a same destination NIC of VPN Box B"
> >   
> > 10.0.1.0/24===1.2.3.4---3.4.5.6...x.x.x.x---x.x.x.y ===10.0.0.0/24
> > 10.0.1.0/24===2.3.4.5---2.3.4.10...x.x.x.x---x.x.x.y ===10.0.0.0/24
> 
> As far as I know, it's not currently possible to have two tunnels up to
> the same destination at the same time. One of the developers want to
> comment on this?

True.  If you have two paths to the same location, how do you choose which 
one to take?  Since IPsec doesn't support the concept of 'metrics' like 
traditional routing, you currently can only have one tunnel per 
destination.

> One thing you could do is bring whichever one you want to use as primary
> up by default, and write a script to monitor the tunnel, and down it and
> bring the secondary one up if it dies.

Or setup two Host to Host tunnels (since remote hosts are different, they 
can be up at the same time), put GRE on both tunnels, and then setup 
traditional routes.  Enable ECMP (Equal Cost Multipath) in your kernel, 
and you could load balace them :)

However, it still doesn't deal with failover, you'd have to do Nate 
suggest about scripts to monitor + up/down tunnels.

-- 
Ken Bantoft			VP Business Development
ken at xelerance.com		Xelerance Corporation
sip://toronto.xelerance.com	http://www.xelerance.com

The future is here. It's just not evenly distributed yet. 
        -- William Gibson