How does IPsec order/prioritize tunnels?



  • I have a somewhat screwed-up setup (thanks Verizon!), so my default route ends up going out over an IPSec tunnel to a colocation service that acts as gateway for my class-C net.
    So I have one IPSec link with a peer net that's 0.0.0.0/0

    Yet I also need to have some IPSec tunnels to clients. Is there a way to ensure that the default link get's processed last, i.e. that IPSec doesn't try to route packets that should go to the client's private nets out the 0.0.0.0/0 link?

    The reason I'm asking is that I suspect that this may be part of the problem of rather glitchy connectivity to some client's networks, even though I made sure it is listed before the "catch-all" default route IPsec tunnel.
    It seems that connectivity is more a matter of which tunnel becomes operational first rather than in which sequence they are listed.


  • Rebel Alliance Developer Netgate

    It may be how the SPDs are ordered, though I'm not sure there is any way to ensure the ordering of these unless you can absolutely ensure the order in which the tunnels actually establish (which is probably impossible in practice)


Log in to reply