Re: [Users] Load balance in VPN

On Tue, 18 Feb 2003, Silvio Luis Leite wrote:

>>I have a situation that I want to implement two Linux Box with a FreesWan to
>>share the same Internet connection.
>>
>>I was instaled both Linux Box with Freeswan 1.99 (called lxFS1 and lxFS2).
>>I have a Internet connection over ADSL in a single valid IP. My ADSL do not
>>have NAT, only port-forward.

> The requirements is If source VPN packet is from X, Y, Z then use
> lxFS1; or if source packet is
> from Q, W, E, R then use lxFS2.

Ken Bantoft wrote:

> You will probably need iproute2 rules to achieve this - policy > routing based on both source and destination.

That would do it.

Standard old NAT can't possibly do it.
What people call NAT should probably be called NAPT -- network address and port translation. It ain't gonna work for ESP, since that's a portless protocol.

This explains the observation that IKE msgs worked fine but ESP didn't get through.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related lists.freeswan.org Links 1998-fall 1998-spring 1998-summer 1998-winter 1999-winter announce briefs bugs design freeswan-list hipsec ietf-sectest users users-admin Request more information about Pantek

There is one huge question that needs to be answered: why bother with any of this? For pocket-change you can buy a CPU that is more than powerful enough to keep up with any ADSL line. So why use two? There cannot be any increase in throughput. There cannot be any increase in reliability. In fact the proposed design just decreases reliability.