[Openswan Users] ipsec vpn fallback

Lewis Shobbrook mylists at blue-matrix.org
Mon Jun 13 04:10:25 CEST 2005 

Hi all,

This soultion looks good, I might have a crack at it over the weekend.

I'm wondering if it may  possible at some future stage to allow some sort of 
preset promiscuity such as  right=xxx.xxx.xxx.xxx;yyy.yyy.yyy.yyy in 
combination with left=%defaultroute rather than using right=%any 
(feature request?)

If we have multiple links at both ends what will happen when using 
%defaultroute and %any for "left/right="at both endpoints?  
I suspect negotiation may fail and might also cause complications when using  
a roadwarrior conn with %any as the first conn listed in ipsec.conf will be 
slected.

Can anyone think of a way around this or tell me I'm talking crap again?

On Monday 06 June 2005 11:18 am, Ming-Ching Tiew wrote:
> Basically I make heavy use of iptables and iproute2,
>
>    1. Add two more routing tables, each default route to different gateway
> of the internet link.
>
>    2. Add ip rule so that different fwmark selects different routing table.
>
>                ip rule add fwmark 5 table first
>                ip rule add fwmark 7 table second
>
>    3. Add a new chain to the mangle table and hook to the mangle OUTPUT,
>
>                iptables -t mangle -N ike
>                iptables -t mangle -A -p udp --dport 500 -j MARK --set-mark
> 5 iptables -t mangle -j RETURN
>                iptables -t mangle -A OUTPUT -p udp --dport 500 -j ike
>
>    4. Have script which monitors link failure and dynamically change the
> -set-mark value,

Are you able to share the content of the monitoring script?
I use a NAGIOS montioring event_handler to cope with extended congestion as 
well as failures, but haven't yet had complete success with openswan 
integration yet.
>
>                 iptables -t mangle -R ike 1 -p udp --dport 500 -j MARK
> --set-mark 5
>
>                or
>
>                iptables -t mangle -R ike 1 -p udp --dport 500 -j MARK

Does your script switch back to the preferred route once the connection 
failure ended.

You could also add a single firewall rule such as...
iptables -A PREROUTING -t mangle -p udp --dport 500 -j MARK 5

and set the script to modify the routing table 
ip rule del fwmark 5 table first
ip rule add fwmark 5 table second

Cheers,

Lew

More information about the Users mailing list