2

I'm trying to set up the "Option 3" configuration for Google Cloud VPN, with two Google Cloud VPN gateways on the left and StrongSWAN or OpenSWAN on the right:

enter image description here

If you have two Peer VPN gateways and two Compute Engine VPN gateways, each Compute Engine VPN gateway can have a tunnel pointing at each Peer VPN gateway public IP, giving you four load balanced tunnels between the VPN gateway thereby potentially increasing 4x times the bandwidth.

Problem is, as far as I can tell doing this in an active/active configuration (both tunnels serving traffic) requires that both peer gateways have the same rightsubnet, which causes the second tunnel to barf with "route already in use":

Sep 14 15:44:02 test-vpn ipsec: 002 added connection description "google1"
Sep 14 15:44:02 test-vpn ipsec: 002 added connection description "google2"
Sep 14 15:44:02 test-vpn ipsec: 003 "google2": cannot route -- route already in use for "google1"
Sep 14 15:44:02 test-vpn ipsec: 025 "google2": could not route

Is there any way to support this config with StrongSWAN, OpenSWAN or another software VPN package? I see StrongSWAN has an experimental High Availability mode, but this looks fiddly and doesn't appear to be compatible.

1 Answer 1

3

As you may noticed in option 1 and option 2 of the increasing VPN throughput article, the Compute Engine VPN gateway or network automatically load balance the traffic to Peer VPN gateway(s).

For options 3, you will need to create a cluster of your VPN gateways to run load balancing for your IPsec VPN gateways.

As you mentioned this can be done using load sharing cluster feature of the StrongSwan or you can setup a load balancer (like HAProxy) to distributes workloads from your remote network across peer VPN gateways.

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .