[Openswan Users] Re: 2 NICs(in a single host) to 1 NIC ipsec
tenneling concurrently
Ken Bantoft
ken at xelerance.com
Fri May 14 18:45:17 CEST 2004
On Fri, 14 May 2004, Nate Carlson wrote:
> On Fri, 14 May 2004, yi min wrote:
> > I hope to connect from VPN Box A" to VPN Box B" with using two ipsec
> > tunnels concurrently.
> >
> > but In spite of configuring as below structure and ipsec configurations,
> > unfortunately I can not success
> >
> > if i try to connect GRE connection, first of all i think to be able to
> > use GRE after successing in IPsec Tunneling
> >
> > I wanna know about the methods of dual(redundant)ipsec tunnels from each
> > others 2 NIC of a VPN Box A" to a same destination NIC of VPN Box B"
> >
> > 10.0.1.0/24===1.2.3.4---3.4.5.6...x.x.x.x---x.x.x.y ===10.0.0.0/24
> > 10.0.1.0/24===2.3.4.5---2.3.4.10...x.x.x.x---x.x.x.y ===10.0.0.0/24
>
> As far as I know, it's not currently possible to have two tunnels up to
> the same destination at the same time. One of the developers want to
> comment on this?
True. If you have two paths to the same location, how do you choose which
one to take? Since IPsec doesn't support the concept of 'metrics' like
traditional routing, you currently can only have one tunnel per
destination.
> One thing you could do is bring whichever one you want to use as primary
> up by default, and write a script to monitor the tunnel, and down it and
> bring the secondary one up if it dies.
Or setup two Host to Host tunnels (since remote hosts are different, they
can be up at the same time), put GRE on both tunnels, and then setup
traditional routes. Enable ECMP (Equal Cost Multipath) in your kernel,
and you could load balace them :)
However, it still doesn't deal with failover, you'd have to do Nate
suggest about scripts to monitor + up/down tunnels.
--
Ken Bantoft VP Business Development
ken at xelerance.com Xelerance Corporation
sip://toronto.xelerance.com http://www.xelerance.com
The future is here. It's just not evenly distributed yet.
-- William Gibson
More information about the Users
mailing list