Re: [IPsec] Can one IPsec SA be established via two internet ports on one device?
Paul Wouters <paul@nohats.ca> Tue, 20 November 2018 03:23 UTC
Return-Path: <paul@nohats.ca>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 806291276D0 for <ipsec@ietfa.amsl.com>; Mon, 19 Nov 2018 19:23:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nohats.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AolUpCc88jsB for <ipsec@ietfa.amsl.com>; Mon, 19 Nov 2018 19:23:48 -0800 (PST)
Received: from mx.nohats.ca (mx.nohats.ca [IPv6:2a03:6000:1004:1::68]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A675124BAA for <ipsec@ietf.org>; Mon, 19 Nov 2018 19:23:48 -0800 (PST)
Received: from localhost (localhost [IPv6:::1]) by mx.nohats.ca (Postfix) with ESMTP id 42zWJK152Rz3H3; Tue, 20 Nov 2018 04:23:45 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nohats.ca; s=default; t=1542684225; bh=hhtp7QGuOMwUuSHb9Y61gr4LGf1/+4CfkODv/oFmqbo=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=qNnzfXT4SiDOu3tZ+gzUgdOrQWcoHUCJCZ0aIjqbZj9/3BLwCBO+3xUAYOZCPDijg ADeyxDxyCMfu0h7hgN+XgHuFip1ZckLb88caz3R5blZHNGOs7ebJAK694wAOOZdIX1 rLHHpfSn2l+ijqHZLHF31lDL4DEXUSk/enleg35w=
X-Virus-Scanned: amavisd-new at mx.nohats.ca
Received: from mx.nohats.ca ([IPv6:::1]) by localhost (mx.nohats.ca [IPv6:::1]) (amavisd-new, port 10024) with ESMTP id K9cd-fnUJWZz; Tue, 20 Nov 2018 04:23:43 +0100 (CET)
Received: from bofh.nohats.ca (bofh.nohats.ca [76.10.157.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx.nohats.ca (Postfix) with ESMTPS; Tue, 20 Nov 2018 04:23:43 +0100 (CET)
Received: by bofh.nohats.ca (Postfix, from userid 1000) id AF95F4AA4D9; Mon, 19 Nov 2018 22:23:42 -0500 (EST)
DKIM-Filter: OpenDKIM Filter v2.11.0 bofh.nohats.ca AF95F4AA4D9
Received: from localhost (localhost [127.0.0.1]) by bofh.nohats.ca (Postfix) with ESMTP id A5D5541C3B27; Mon, 19 Nov 2018 22:23:42 -0500 (EST)
Date: Mon, 19 Nov 2018 22:23:42 -0500
From: Paul Wouters <paul@nohats.ca>
To: Linda Dunbar <linda.dunbar@huawei.com>
cc: IPsecME WG <ipsec@ietf.org>
In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F66B1CBE26@sjceml521-mbx.china.huawei.com>
Message-ID: <alpine.LRH.2.21.1811192213320.446@bofh.nohats.ca>
References: <4A95BA014132FF49AE685FAB4B9F17F66B1C8D3B@sjceml521-mbx.china.huawei.com> <06E267FB-9751-44FF-887D-E0A304A58C85@gmail.com> <4A95BA014132FF49AE685FAB4B9F17F66B1CBE26@sjceml521-mbx.china.huawei.com>
User-Agent: Alpine 2.21 (LRH 202 2017-01-01)
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ipsec/IoPLkPG0UIgw0vvWJgfe_hfFeaU>
Subject: Re: [IPsec] Can one IPsec SA be established via two internet ports on one device?
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Nov 2018 03:23:50 -0000
On Mon, 19 Nov 2018, Linda Dunbar wrote: > When you said “IPs are sourced loopbacks that are part of a prefix exported to the the isp(s) in each site”, > do you mean that the private Loopback addresses of CPE1 & CPE2 are routable in all four ISPs’ that > connected to A1, A2, B1, B2? And to clarify, assuming your IPsec connection does not cover the IPs used on both endpoints, but instead is some kind of subnet behind your servers, then you can one IPsec SA. It does require some tricks if you really want to limit it to one IPsec SA. Remember that while you can choose which outgoing interface to use, you cannot choose the incoming device, so it would be a poor load balance. It is far easier to use two IPsec SA's that cover the same site-to-site range. On Linux, the easiest would be to setup two identical subnet-to-subnet IPsec SA with a different XFRM mark. Then create a VTI device for each of these. Then you can use routing and traffic shaping/control to send packets to one or the other VTI interface for load balancing. If one of the links goes down, the interface goes down and it all goes over the remaining interace. Libreswan and strongswan support this. For libreswan, use: conn one [basic config] mark=8/0xffffffff vti-interface=ispA vti-routing=no vti-shared=no conn two [basic config] mark=7/0xffffffff vti-interface=ispB vti-routing=no vti-shared=no Then handle the routing/traffic control yourself. Another solution for this is using MOBIKE, but then you are only using one of the two in a failover type of scenario, and it is not doing any kind of load balancing. Again libreswan and strongswan support this. Paul
- [IPsec] Can one IPsec SA be established via two i… Linda Dunbar
- Re: [IPsec] Can one IPsec SA be established via t… joel jaeggli
- Re: [IPsec] Can one IPsec SA be established via t… Linda Dunbar
- Re: [IPsec] Can one IPsec SA be established via t… Michael Richardson
- Re: [IPsec] Can one IPsec SA be established via t… Paul Wouters