Hello, all. I'm working on a fairly complex setup where we are doing ingress traffic shaping with an IFB interface including traffic transported via GRE/IPSec on gateways using keepalived for VRRP.
We would normally use IPSec in transport mode for GRE/IPSec but that seems to prevent the tc filters from seeing the contents of the IPSec packets after decrypted. In tunnel mode, the packet seems to take that second path through the interface and the tc filters work as expected . . . until it breaks. The StrongSWAN gateways use VRRP on their public interfaces. We only run StrongSWAN on the active gateway and the tunnel end points are the VIPs, i.e., the virtual IP addresses assigned by keepalived when the gateway is operating as MASTER. When a gateway fails, it tears down the GRE and IPSec tunnels if it can, and the new MASTER establishes them using the local VIP and terminating on the remote VIP. This worked fine in transport mode but, in tunnel mode, it complains, "no local address found in traffic select <VIP/32>. I've tried playing with left/rightsourceip but this does not seem applicable to what we are doing and breaks. I've tried specifying leftsubnet even though it is the same as left but that does not work. How does one use tunnel mode to a VRRP VIP? Thanks - John _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users