Routes can and will not work. They only work, if for anything, if they recommend a local source address for the route. Maybe you can do something with manualy priorities in swanctl.conf to make sure the priorities are different and one tunnel is preferred over another. That will only work, if the SPs of the failed tunnel are removed when it fails. Other than that, you can use marks and then check in the next rule if there's a matching policy and accept the packet, if there is. Marking packets is non-terminating, so you can do that for how many tunnels you want. Again, it will only work if the SPs of a failed tunnel are removed when it fails.
On 24.08.2017 14:07, Dusan Ilic wrote: > With iptables you can set marks on traffic and that way decide which tunnel > to use. Automatic switch will not be supported, unless you write a script > that checka the health of the current actively tunnel and then change mark. > > Probably traditional routes can work better. > > ---- John Brown skrev ---- > > Hi Dusan, > The solution you propose is also promising, thank you! But I do not get one > thing. How can I use iptables to decide which tunnel should be used to send > the traffic? Would your solution provide automatic switchover in case of > preffered tunnel is going down and maybe up again (for example, many failure > scenarios are possible)? > > Best regards, > John > > > 2017-08-24 13:24 GMT+02:00 Dusan Ilic <du...@comhem.se > <mailto:du...@comhem.se>>: > > Hi John, > > You dont need route based for this, you can setup two tunnels with same > rightsubnet and use different marks. By applying these marks with iptables > you choose which tunnel to send the traffic to. > > Vti (and maybe libipsec) is however cleaner solution, cause the vti puts > the mark on all packets routed out that interface, so standard routing logic > can be used instead. Not sure about libipsec though, i think you will have to > use iptables marking then too. > > ---- John Brown skrev ---- > > > Thank you very much for an advice. It looks interesting but also adds > significant complexity to the solution. Did you find route based VPN working > for rightsubnet overlap scenario? > > I'm going to try this probably but with libipsec rather that vti devices > (kernel too old for vti). As far as I understand the solution you've proposed > I can add priorities to the tunnels by adding a metrics to routes (and prefer > conn1 over conn2). Am I correct? > > Best regards, > John > > 2017-08-24 11:34 GMT+02:00 Vincent Bernat <ber...@luffy.cx > <mailto:ber...@luffy.cx>>: > > ❦ 24 août 2017 11:27 +0200 <tel:+0200>, John Brown > <jb20141...@gmail.com <mailto:jb20141...@gmail.com>> : > > > I'm searching the net but cannot find reliable answer for problem: > > > > Is this possible in strongswan to have two connections with the same > > rightsubnet entry and prefer one connection over another? > > > > For example: > > > > ... > > > > conn1 > > ... > > rightsubnet=10.10.0.0/16 <http://10.10.0.0/16> > > > > conn2 > > ... > > rightsubnet=10.10.0.0/16 <http://10.10.0.0/16> > > > > > > and in ideal scenario both conns are up but conn1 is used for tx/rx > > encrypted traffic when possible, conn2 only in case of lack of > conn1. > > One solution is to use routes to divert traffic to one of the tunnel > or > the other: > https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN > <https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN> > -- > Use self-identifying input. Allow defaults. Echo both on output. > - The Elements of Programming Style (Kernighan & Plauger) > > >
signature.asc
Description: OpenPGP digital signature
