[Openswan Users] Multihomed Firewalls - Redundant tunnels and source assignment for ipsec default route

Mark Royan mark at coastal-it.com
Sun Sep 3 23:34:14 EDT 2006


I have one multi-homed linux firewall, and one single homed firewall and
would like to have redundant tunnels setup between them. The multi-homed
internet connectivity is working fine, and I am able to pull up a single
tunnel, however when that tunnel comes up a route is inserted into the
routing table such that I cannot pass traffic to the single homed
fierwall because the route which was inserted into the routing table
does not take into account the source ip or device of the internet
connection which it is using:

Multihomed Firewall:
Router1.1 IP: 1.1.1.1
Router1.1 Def Gateway: 1.1.1.2
Router1.2 IP: 1.2.2.1
Router1.2 Def Gateway: 1.2.2.2

Single Homed Firewall:
Router2.1 IP: 2.2.2.1
Router2.1 Def Gatewal: 2.2.2.2


Problematic Route inserted by ipsec into main routing table:
2.2.2.1 via 1.1.1.2 dev Router1.1

as such the second tunnel (Router1.2 --> Router 2.1) can never come up
because the default route from the first tunnel prevents traffic from
flowing from Router1.2 to Router2.1.

I have to enabled the "leftnexthop" in order to get the tunnel to pass
any traffic at all (of course it looks like this step is the culprit for
adding the problem route).

I notice that there is a config file that I can add -- pluto_updown, but
I'm not really sure where to go from here (as it looks like it adds
everything to the same routing table regardless of source which doesn't
really solve my problem. I have all the interfaces in the ipsec.conf
file as seperate ipsecX interfaces, but this doesn't seem to make a
difference. Is there a "leftdevice" type argument for ipsec.conf's conn
section?


Mark Royan
mark at coastal-it.com



More information about the Users mailing list