[strongSwan] Create tunnels for LXCs on Host (is it possible?)

Hello, I have the following network setup: LXC1(eth0: 192.168.1.100/24) (eth0: 192.168.1.200/24)LXC2 Host1(br1: 192.168.1.10/24)-(br1:192.168.1.20/24)Host2 Each LXC lives on its corresponding Host. br1 (a bridge) on each Host is mapped to eth0 on each LXC. IP addresses for all

Re: [strongSwan] ip pool assignment algorithm

Hi, All backends behave identically, except for one thing: With SQL based pools, you can have truly static leases. A pool of static leases (timeout == 0) will not return an address, if it is full (all leases were assigned at some point). Other pools will return expired leases. If there are no

Re: [strongSwan] rightsubnet overlap

Routes can and will not work. They only work, if for anything, if they recommend a local source address for the route. Maybe you can do something with manualy priorities in swanctl.conf to make sure the priorities are different and one tunnel is preferred over another. That will only work, if

[strongSwan] ip pool assignment algorithm

Hi! Are there some detailed informations about how ip's from a pool will be assigned to a connection? As I saw there are different backends possible, but are there rules to assign the ips like LRU or 'next in orderd number'? Thanks for help. Kind regards, Mike.

Re: [strongSwan] rightsubnet overlap

With iptables you can set marks on traffic and that way decide which tunnel to use. Automatic switch will not be supported, unless you write a script that checka the health of the current actively tunnel and then change mark. Probably traditional routes can work better. John Brown skrev

Re: [strongSwan] rightsubnet overlap

Hi Dusan, The solution you propose is also promising, thank you! But I do not get one thing. How can I use iptables to decide which tunnel should be used to send the traffic? Would your solution provide automatic switchover in case of preffered tunnel is going down and maybe up again (for example,

Re: [strongSwan] rightsubnet overlap

❦ 24 août 2017 13:11 +0200, John Brown  : > Thank you very much for an advice. It looks interesting but also adds > significant complexity to the solution. Did you find route based VPN > working for rightsubnet overlap scenario? Yes, I am using them (if 0.0.0.0/0 as right

Re: [strongSwan] rightsubnet overlap

Hi John, You dont need route based for this, you can setup two tunnels with same rightsubnet and use different marks. By applying these marks with iptables you choose which tunnel to send the traffic to. Vti (and maybe libipsec) is however cleaner solution, cause the vti puts the mark on all

Re: [strongSwan] rightsubnet overlap

Thank you very much for an advice. It looks interesting but also adds significant complexity to the solution. Did you find route based VPN working for rightsubnet overlap scenario? I'm going to try this probably but with libipsec rather that vti devices (kernel too old for vti). As far as I

Re: [strongSwan] rightsubnet overlap

❦ 24 août 2017 11:27 +0200, John Brown  : > I'm searching the net but cannot find reliable answer for problem: > > Is this possible in strongswan to have two connections with the same > rightsubnet entry and prefer one connection over another? > > For example: > > ... > >

[strongSwan] rightsubnet overlap

Hello all, I'm searching the net but cannot find reliable answer for problem: Is this possible in strongswan to have two connections with the same rightsubnet entry and prefer one connection over another? For example: ... conn1 ... rightsubnet=10.10.0.0/16 conn2 ...

[strongSwan] Strongswan - Problems to set up IPv4 + IPv6 with StrongSwan 5.1.2 on Ubuntu 14

Thanks for your incredible support. IPv4 is now working as intended. Now I've got some issues regarding IPv4/IPv6 dual stack: My /etc/network/interfaces states following - iface eth0 inet dhcp iface eth0:1 inet static     address 10.1.1.1