[Openswan Users] redundant ipsec connections: route to peer's client conflicts with ... relesing old connection to free the route

Oguz Yilmaz oguzyilmazlist at gmail.com
Thu Jun 4 15:39:02 EDT 2009


My aim is not high availability in the center. I am OK with single
Central server. Lets concentrate ont he peer. Peer has 2 internet
access. 2 of VPN s will work on the first access line and 1 of VPNs
will work on the second access line.

At the moment ip xfrm policy:

src 172.17.0.0/24 dst 172.19.0.0/24
        dir out priority 2344
        tmpl src CENTRALIPADDR dst PEERDSL1
                proto esp reqid 16397 mode tunnel
src 172.16.0.0/24 dst 172.19.0.0/24
        dir out priority 2344
        tmpl src CENTRALIPADDR  dst PEERDSL2
                proto esp reqid 16401 mode tunnel
src 10.0.0.0/8 dst 172.19.0.0/24
        dir out priority 2856
        tmpl src CENTRALIPADDR dst PEERDSL2
                proto esp reqid 16405 mode tunnel

What I want is establishing this state quickly. At the moment it takes
about 5-15 minutes. As you can see policy does not overlap actually.
Sources are different for each. The problem is I think openswan only
look for the destinaiton for preventing routing overlapping.

How can I disable checking routings and releasing old connection to
free the route?



On Thu, Jun 4, 2009 at 10:27 PM, Paul Wouters <paul at xelerance.com> wrote:
> On Thu, 4 Jun 2009, Oguz Yilmaz wrote:
>
>> The same topology was working with Symantec firewall vpn device on the
>> Central point. I am trying to migrate the topology to openswan on the
>> center also.
>>
>> What can you suggest for distributing ipsec connections over two
>> internet lines to the same center?
>
> Look at something like:
>
> http://www.xelerance.com/talks/ha/HA_VPNS_With_FreeSWAN.pdf
>
> Paul
>


More information about the Users mailing list