Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2.4.4 Multiple tunnels to same endpoint

    Scheduled Pinned Locked Moved IPsec
    3 Posts 2 Posters 430 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      alifen
      last edited by alifen

      Hi,

      I have some sites with two Internet connections, some sites with one. Let's just consider two sites for this example.

      • Site A has one Internet connection (WAN1: 111.222.0.1)
      • Site B has two Internet connections (WAN1: 123.123.0.2; WAN2: 101.101.0.3)

      Now that we have VTI with 2.4.4, I was hoping to have an IPSec connection between each endpoint constantly up and then just run dynamic routing to handle sending the traffic as links come up and down. The connections would be:

      • Site A, Connection 1 [111.222.0.1] >> Site B, Connection 1 [123.123.0.2]
      • Site A, Connection 1 [111.222.0.1] >> Site B, Connection 1 [101.101.0.3]

      However, it seems that I am limited to one IPSec tunnel per gateway IP. i.e. I can only have one connection to Site A [111.222.0.1] from Site B. The connections come up, but I can't pass any traffic on the second connection unless I take down the first.

      The GUI doesn't let me create two connections to the same gateway, so I am cheating and using a hostname that resolves to the IP. This was my first clue that what I want to do might not be supported!

      Digging into it, it seems from the states table that the problem is that the second connection from the WAN2 address is actually exiting the WAN1 interface.

      I can work around this by:

      1. Editing the gateway IP to something fake on the connection to Site A from Site B, Connection 1 so that the connection to Site A from Site B, Connection 2 comes up.

      2. Editing it back to the correct IP which, interestingly, brings Connection 1 back up without taking down Connection 2.

      Obviously, this is a rubbish workaround as any firewall state change or reboot of the system means I need to re-apply the workaround.

      My question is this: what would be involved in getting the state tracking to work correctly to support two connections to the same IP from different source IPs? Obviously, it is possible - I'd just like to get there in a repeatable, supportable way.

      If someone can give me some hints I am happy to do some work to test out a solution and suggest is formally as a feature via redmine...

      Thanks in advance!

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        When you make a P1 to a remote peer, it adds a static route to that peer out the chosen interface.

        You can't have a static route out two interfaces, so it uses the first one.

        You must connect to a different IP address on the far side.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • A
          alifen
          last edited by

          @jimp said in 2.4.4 Multiple tunnels to same endpoint:

          When you make a P1 to a remote peer, it adds a static route to that peer out the chosen interface.

          Ah ha, that explains the behaviour!

          Forgive my naivety, but why is the static route required? Is there another mechanism we could use to make sure the connection exits via the right interface? I am imagining something similar to PBR but for host traffic...

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.