[Openswan Users] Secure Tunnels over Redundant Network
khall at pt.com
Sat Sep 20 11:14:49 EDT 2008
I am attempting to configure secure tunnels over a redundant network. I
have two devices to connect. Each device has two IP interfaces (eth0
and eth1). Each interface connects to a different network (four private
networks) and all four of those networks can be inter-routed via a
larger network (public network).
Device-A.eth0 --- NetA NetC --- Device-B.eth0
Device-A.eth1 --- NetB NetD --- Device-B.eth1
In order to maintain the required redundancy characteristics each ethX
must be able to route messages to eth0 and eth1 on the complimentary
device. I have four conns defined with one for each ethX to ethY pair.
This creates a problem when starting ipsec as the same destination is
routed to by two different sources:
Device-A.eth0 routes to Device-B.eth0 via NetA through NetC
Device-A.eth1 routes to Device-B.eth0 via NetB through NetC
I can establish both
Device-A.eth0 <--> Device-B.eth0 and Device-A.eth1 <--> Device-B.eth1
Device-A.eth0 <--> Device-B.eth1 and Device-A.eth1 <--> Device-B.eth0
but not all four. (I'm using Linux Openswan U2.6.16/K2.6.12 (netkey)).
Openswan indicates it is refusing to use the same destination on the
My question is whether this is a valid configuration for Openswan. I
have found posts for and against multiple tunnels to the same
destination. In addition RFC 3554 "On the Use of Stream Control
Transmission Protocol (SCTP) with IPsec" suggests that current IKE
implementations can support this type of multi-route scenario (though
supposedly inefficient). The SA is unique (by source gateway). The
destination can be differentiated by the outgoing interface.
I am under the impression that Strongswan with IKEv2 has the capability
to have multiple tunnels/routes to a destination do so (and more
efficiently). I will be attempting to get a load that has this to do a
Thank you and much appreciation for this list!
khall at pt.com
More information about the Users