2.4.4 Multiple tunnels to same endpoint



  • Hi,

    I have some sites with two Internet connections, some sites with one. Let's just consider two sites for this example.

    • Site A has one Internet connection (WAN1: 111.222.0.1)
    • Site B has two Internet connections (WAN1: 123.123.0.2; WAN2: 101.101.0.3)

    Now that we have VTI with 2.4.4, I was hoping to have an IPSec connection between each endpoint constantly up and then just run dynamic routing to handle sending the traffic as links come up and down. The connections would be:

    • Site A, Connection 1 [111.222.0.1] >> Site B, Connection 1 [123.123.0.2]
    • Site A, Connection 1 [111.222.0.1] >> Site B, Connection 1 [101.101.0.3]

    However, it seems that I am limited to one IPSec tunnel per gateway IP. i.e. I can only have one connection to Site A [111.222.0.1] from Site B. The connections come up, but I can't pass any traffic on the second connection unless I take down the first.

    The GUI doesn't let me create two connections to the same gateway, so I am cheating and using a hostname that resolves to the IP. This was my first clue that what I want to do might not be supported!

    Digging into it, it seems from the states table that the problem is that the second connection from the WAN2 address is actually exiting the WAN1 interface.

    I can work around this by:

    1. Editing the gateway IP to something fake on the connection to Site A from Site B, Connection 1 so that the connection to Site A from Site B, Connection 2 comes up.

    2. Editing it back to the correct IP which, interestingly, brings Connection 1 back up without taking down Connection 2.

    Obviously, this is a rubbish workaround as any firewall state change or reboot of the system means I need to re-apply the workaround.

    My question is this: what would be involved in getting the state tracking to work correctly to support two connections to the same IP from different source IPs? Obviously, it is possible - I'd just like to get there in a repeatable, supportable way.

    If someone can give me some hints I am happy to do some work to test out a solution and suggest is formally as a feature via redmine...

    Thanks in advance!


  • Rebel Alliance Developer Netgate

    When you make a P1 to a remote peer, it adds a static route to that peer out the chosen interface.

    You can't have a static route out two interfaces, so it uses the first one.

    You must connect to a different IP address on the far side.



  • @jimp said in 2.4.4 Multiple tunnels to same endpoint:

    When you make a P1 to a remote peer, it adds a static route to that peer out the chosen interface.

    Ah ha, that explains the behaviour!

    Forgive my naivety, but why is the static route required? Is there another mechanism we could use to make sure the connection exits via the right interface? I am imagining something similar to PBR but for host traffic...