Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Change order of route matching in Linux

Posted on 2009-04-08
8
Medium Priority
?
887 Views
Last Modified: 2012-05-06
Hello, do you know if it is possible to change the matching order for traffic.

I need to be able to change the matching order for VPN route policies.

Currently the local routing tables are processed first ('ip rule show' etc), and then NETKEY based IPSec VPN policies are matched.

I need to be able to define a backup static route (to provide redundancy to the VPNs) in the local routing tables that is matched AFTER the VPN route policies.

For example, if the IPSec (NETKEY based) VPN is established the VPN route policy will match first and the traffic will be routed through the tunnel etc.

If the IPSec VPN is NOT established, the traffic will NOT match any VPN route policy and the traffic will be routed via the local routing table instead.

How can this be done?

I am amazed that when NETKEY was being developed, it was designed with a total disregard for VPN redundancy. Hence I am trying to do this to provide a backup route for failed VPNs.

Does anyone know if there is a bulletin board or a specific community which develops the NETKEY libraries so I can ask this question there if no one here knows an answer?

Thanks in advance.
0
Comment
Question by:MonitorSupport
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 

Author Comment

by:MonitorSupport
ID: 24096935
Alternatively and probably a better solution, would be to add the backup route to the 'Security Policy' table, instead of changing the matching orders.

'ip xfrm policy list' shows you the current security policies, as created by openswan when VPNs establish.

How can I use 'ip xfrm policy add ...' to insert the necessary backup 'Security Policy' to act as backup route when the openswan VPN tunnel policy is not in place?

Thanks in advance.
0
 
LVL 79

Expert Comment

by:arnold
ID: 24105862
Are you working on some appliance that runs under the linux OS?
I think the same vendor had a different VPN handling mechanism that supported what you need in kernel 2.4 but not in 2.6.
0
 

Author Comment

by:MonitorSupport
ID: 24106431
Hello,
Yes this is a Linux appliance.

In 2.4 it was easy as KLIPS was used which created IPSecX interfaces where X is a unique number etc. This then allowed for addition of local routing table entires.

However 2.6 uses NETKEY which has no regard for redundancy whatsoever as there are no IPSecX interfaces (meaning no backup routes and no ability to advertise established VPNs via dynamic routing). Instead the routing is done at a Security Policy level by the addition of an entry in the SPDB when the tunnel comes up (and deleted when the tunnel goes down).

As such I need to add a route to the bottom of the SPDB to act as a redundant path for a VPN.

Cheers for your time.
0
The Orion Papers

Are you interested in becoming an AWS Certified Solutions Architect?

Discover a new interactive way of training for the exam.

 
LVL 79

Expert Comment

by:arnold
ID: 24106523
You should search EE, I think there was another similar issue where the user had TWO of those appliances (multi-WAN) and needed to setup a route between the two in the event a VPN from one dies so the load balanced traffic from the LAN will get to its destination.
http://www.experts-exchange.com/OS/Linux/Q_24156403.html
0
 

Author Comment

by:MonitorSupport
ID: 24107259
Hi Arnold, that post as one of ours!

This is actually a continuation of the same problem however this time I am specifically trying to work out how to insert a Security Policy based route to implement your idea of a backup route.

Cheers, Andy.
0
 
LVL 79

Expert Comment

by:arnold
ID: 24108090
:)

Good luck.
0
 

Accepted Solution

by:
MonitorSupport earned 0 total points
ID: 24592898
We purchased a different appliance (Draytek 5510) which supports the advertisement of dynamic routing for established VPNs!!!

Arnold thank you for all your time and help.
0
 
LVL 79

Expert Comment

by:arnold
ID: 24598905
I would think that the different approaches taken to address your question led to the solution which was to buy the requisite equipment to meet your needs.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question