[Openswan Users] Secure Tunnels over Redundant Network

Kevin Hall khall at pt.com
Sat Sep 20 11:14:49 EDT 2008 

Hello all,

I am attempting to configure secure tunnels over a redundant network.  I 
have two devices to connect.  Each device has two IP interfaces (eth0 
and eth1).  Each interface connects to a different network (four private 
networks) and all four of those networks can be inter-routed via a 
larger network (public network).

Network Diagram:

Device-A.eth0 --- NetA          NetC --- Device-B.eth0
                      \        /
                      Public Net
                      /        \
Device-A.eth1 --- NetB          NetD --- Device-B.eth1

In order to maintain the required redundancy characteristics each ethX 
must be able to route messages to eth0 and eth1 on the complimentary 
device.  I have four conns defined with one for each ethX to ethY pair.  
This creates a problem when starting ipsec as the same destination is 
routed to by two different sources:

Device-A.eth0 routes to Device-B.eth0 via NetA through NetC
AND
Device-A.eth1 routes to Device-B.eth0 via NetB through NetC

I can establish both
Device-A.eth0 <--> Device-B.eth0 and Device-A.eth1 <--> Device-B.eth1
OR both
Device-A.eth0 <--> Device-B.eth1 and Device-A.eth1 <--> Device-B.eth0
but not all four. (I'm using Linux Openswan U2.6.16/K2.6.12 (netkey)).  
Openswan indicates it is refusing to use the same destination on the 
second conn.

My question is whether this is a valid configuration for Openswan.  I 
have found posts for and against multiple tunnels to the same 
destination.  In addition RFC 3554 "On the Use of Stream Control 
Transmission Protocol (SCTP) with IPsec" suggests that current IKE 
implementations can support this type of multi-route scenario (though 
supposedly inefficient).  The SA is unique (by source gateway).  The 
destination can be differentiated by the outgoing interface.

I am under the impression that Strongswan with IKEv2 has the capability 
to have multiple tunnels/routes to a destination do so (and more 
efficiently).  I will be attempting to get a load that has this to do a 
comparison.


Thank you and much appreciation for this list!

-- 
Kevin Hall
Software Engineer
Performance Technologies
khall at pt.com

More information about the Users mailing list