[Openswan Users] Multiple adsl and leftnexthop use

Peter Farrow peter at farrows.org
Mon Jun 5 22:32:26 CEST 2006


Hi There federico,

I am using multiple ADSLs and fix my ipsec down the 2nd line and balance 
the two lines together for all other traffic.

Basically, the problem can be split apart, one is that of load balancing 
the ADSLs the other is that of ipsec config.

1)I did the following, my two ADSL lines each have a Zyxel router on 
them so I created two routing tables called Zyxel1 and Zyxel2.

2)I took all the default gateway entries out of /etc/sysconfig/network 
and all the gateway setting from each of the ifconfig files [ifcfg-ethn]

3)I creating a complete set of routing tables and balanced the two lines 
(the "equalize" parameter at the end of this script does this for you, 
the "weight" option controls the priority of packets down each line so 
you can balance lines of different speeds the adsl lines are 
xxx.yyy.62.80/28 and xxx.yyy.62.96/28, the routers are at xxx.yyy.62.81 
and 97 respectively, I run this script in /etc/rc.d/rc.local at boot time:
> #!/bin/sh
> #
> echo 200 Zyxel1 >> /etc/iproute2/rt_tables
> echo 201 Zyxel2 >> /etc/iproute2/rt_tables
> ip route add xxx.yyy.62.80/28 dev eth0 table Zyxel1
> ip route add default via xxx.yyy.62.81 table Zyxel1
> ip route add xxx.yyy.62.96/28 dev eth2 table Zyxel2
> ip route add default via xxx.yyy.62.97 table Zyxel2
> route add -net 127.0.0.0/8 dev lo
>
> ip route add 127.0.0.0/8  dev lo table Zyxel2
> ip route add 127.0.0.0/8  dev lo table Zyxel1
>
> ip route add 10.200.8.0/24 dev eth1 table Zyxel2
> ip route add 10.200.8.0/24 dev eth1 table Zyxel1
>
> ip route add xxx.yyy.62.96/28 dev eth2 table Zyxel1
> ip route add xxx.yyy.62.80/28 dev eth0 table Zyxel2
>
> ip route add xxx.yyy.62.80/28 dev eth0 src xxx.yyy.62.82
> ip route add xxx.yyy.62.96/28 dev eth2 src xxx.yyy.62.98
> ip rule add from xxx.yyy.62.82 table Zyxel1
> ip rule add from xxx.yyy.62.98 table Zyxel2
>
> ip route add xxx.yyy.62.80/28 dev eth0 table Zyxel2
>
> ip route add xxx.yyy.62.96/28 dev eth2 table Zyxel1
>
> ip route add equalize default scope global nexthop via xxx.yyy.62.81 
> dev eth0 weight 1 nexthop via xxx.yyy.62.97 dev eth2 weight 1
4)Then I created an ipsec config as per normal fixing it to one ADSL 
line as follows:
> conn newport-chip
>                 left=xxx.yyy.62.98
>                 leftnexthop=xxx.yyy.62.97
>                 leftsubnet=10.200.8.0/21
>                 right=xxx.yyy.62.2
>                 rightnexthop=xxx.yyy.62.1
>                 rightsubnet=10.200.0.0/21
>                 authby=secret
>                 pfs=no
>                 auto=add


it has a corresponding  ipsec.secrets entry as well.
> xxx.yyy.62.98 xxx.yyy.62.2 : PSK "mypassphrasehere"


5)After the routes script runs above I start the ipsec services and 
bring up the tunnel, which is then tied to the 2nd ADSL line
Left nexthop points to the ADSL router at the load balanced twin dsl end 
(this end which runs the routing script above)
right nexthop points to the SDSL router at the remote site which is 
outside of the load balancing stuff at xxx.yyy.62.1

I hope this helps!

Pete




Federico wrote:
> Hello,
> I'm still fighting with the multiple dsl vpn problem. I search how to do,
> and follow Openusers suggestions coming from my first post but I did not
> manage to get out.
> So I have better to re-explain my problem.
>
> I got the following conf:
>
>
>                                                               ________
>                                           +------------+        /
>                                           |            |  ADSL |
>                             +-------------+ Provider 1 +-------
>         __                  |             |     GW1    |     /
>     ___/  \_         +------+-------+     +------------+    |
>   _/        \__      |     eth1     |                      /
>  /             \     |              |                      |
> | Local network -----+eth0 VPN  GW  |                      |     Internet
>  \_           __/    |              |                      |
>    \__     __/       |     eth2     |                      \
>       \___/          +------+-------+     +------------+    |
>                             |             |            |     \
>                             +-------------+ Provider 2 +-------
>                                           |    GW2     | HDSL  |
>                                           +------------+        \________
>
> On ADSL (Slow but Flat)I route all Internet (http, ftp, etc.) traffic.
> On HDSL link (Fast but Leased Line) I want to use Openswan in L2tp/Ipsec
> (=>Road Warrior => no static route applicable as in a IPSEC GW-GW conf!)  
>
> Obviously on VPN GW the default gw is GW1 (route add default gw GW1)
> On the other hand I want to redirect the IPSEC (say generated in response of
> connections  initiated from any IP) to GW2 and hence it MUST born on eth2!!
> I Thought it was possible to do that using the leftnexthop directive to let
> ipsec packet born from eth2 and travel through  GW only for ipsec traffic,
> but I didn't manage to do this. VPN start correctly but only if I use GW2 as
> default gw.
> I read the ipsec.conf manual but perhaps I didn't understand the use of
> leftnexthop directive.... Could anyone explain that better than
> documentation? 
> And Could anyone suggest a solution for this kind of problem please?
> Thank you in advance.
>
> Best Regards
> FV
>
>
>   
>> -----Messaggio originale-----
>> Da: Radek Antoniuk [mailto:r.antoniuk at pixel.com.pl]
>> Inviato: venerdì 2 giugno 2006 16.35
>> A: Federico
>> Cc: users at openswan.org
>> Oggetto: Re: R: R: [Openswan Users] VPN on Multiple DLS router
>>
>> Federico wrote:
>>
>>     
>>> Sorry, what do you mean? I already tried the following (as stated in my
>>> first post):
>>>
>>> ip rule add from $IP2 table T2
>>>
>>> May be you are using a lan to lan VPN where my config is a road-warrior
>>> VPN...
>>> So x.yz is the address of your remote (right) vpn-gw... Am I wrong?
>>> But I can't do that!!
>>> I just would say: everything coming from the public IP of my HDSL-
>>>       
>> interface
>>     
>>> Go trough my hdsl GW...
>>> But how?
>>> Thank you for your patience!
>>> FV
>>>
>>>
>>>
>>>       
>> Maybe this will help.
>>
>> ip rule add to your_public_ip_hdsl lookup table 100
>> ip r a default via your_hdsl_gw dev your_hdsl_dev table 100
>>
>>     
> Sorry, I come back to the office today...
> I 
>
> _______________________________________________
> Users at openswan.org
> http://lists.openswan.org/mailman/listinfo/users
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n(3155
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20060605/220618f7/attachment.htm


More information about the Users mailing list