Re: [Users] Multipath routing with Freeswan, possible?

From: Ken Bantoft (ken_at_freeswan.ca)
Date: Sat Jan 11 2003 - 13:38:25 CET

• Next message: Ken Bantoft: "Re: [Users] FreeSWAN behind Cisco NAT router?"
• Previous message: Ingo Bruell: "Re: [Users] site2site config...PLZ Help"
• In reply to: Fraser Campbell: "[Users] Multipath routing with Freeswan, possible?"
• Next in thread: John S. Denker: "Re: [Users] Multipath routing with Freeswan, possible?"
• Reply: John S. Denker: "Re: [Users] Multipath routing with Freeswan, possible?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

-----BEGIN PGP SIGNED MESSAGE-----

On 10 Jan 2003, Fraser Campbell wrote:

> Hi,
>
> I have a situation where we have dual-homed Freeswan firewalls. The extra
> link is simply for redundancy but since both links are very reliable we'd
> like to try to utilize both for improved performance.
>
> I'd hoped this could be implemented by bringing up identical tunnels with the
> left and right endpoints adjusted so that they're bound to the alternate
> connection on the ipsec1 interace, the current tunnel would remain on ipsec0.
>
> We would then do something like this:
>
> ip route add 192.168.1.0/24 nexthop dev ipsec0 weight 2 \
> nexthop dev ipsec1 weight 1
>
> When I try to bring up the extra tunnels I get this:
>
> Jan 10 22:35:25 XXXXX Pluto[21173]: "DC-NY-DMZ" #5: cannot route -- \
> route already in use for "DCT1-NYT1-Subnets"
>
> I'm using an older Freeswan (1.91) any chance that this will work in a newer
> version? Perhaps I'm just crazy thinking that I can put an identical route
> on two different interfaces (with or without Freeswan).

Not supported - you can't have two matching eroute's using FreeS/WAN.
There's a number of ways to work around this - the eql driver, or
multilink PPP over the two links, bonding them. That would give you
full use of both links, at the cost of PPP overhead. Then you'd just
point FreeS/WAN at the ppp link (interfaces="ipsec0=ppp0") and you'd have
a nice stable link, with no ugly routing hacks.

There's probably a few other ways of doing it - find a way to get a single
path between the two sites, and then run IPsec over that.

- --
Ken Bantoft The Unoffical FreeS/WAN Site:
ken_at_freeswan.ca http://www.freeswan.ca
                           PGP Key: finger ken_at_bantoft.org
"We can factor the number 15 with quantum computers. We
can also factor the number 15 with a dog trained to bark
three times." -- Robert Harley, 5/12/01, Sci.crypt

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBPiAQRViWUusaxGxpAQEXcgP8DP5Crw9PKDW1NpRW82BiJu5KINXs44O7
yfJhcNrP5dAqmyW0YzxDWjqt7J5zrFa58kS6EuwoG2609zPA8eaFrbj5xyoOle+F
3ekn6N+ijkxqTQkV9dCWNyB9x97T+UCVXRj8CJTaJvOM8YxjJyoSOP8bKsXHuGaM
b94lR70FEJ8=
=2gYe
-----END PGP SIGNATURE-----

_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Ken Bantoft: "Re: [Users] FreeSWAN behind Cisco NAT router?"
• Previous message: Ingo Bruell: "Re: [Users] site2site config...PLZ Help"
• In reply to: Fraser Campbell: "[Users] Multipath routing with Freeswan, possible?"
• Next in thread: John S. Denker: "Re: [Users] Multipath routing with Freeswan, possible?"
• Reply: John S. Denker: "Re: [Users] Multipath routing with Freeswan, possible?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Wed Jan 15 2003 - 20:11:39 CET