We used to have 1 VPN tunnel over 1 Internet connection, connecting 2 datacenters into 1 virtual LAN (10.x.x.x). It was very simple with route tables etc.
Now that we added another tunnel on the second independent physical connection it becomes very difficult to handle routing. It's easy enough to route everything the new connection, but what if we want to route only specific host to host or subnet to subnet??
e.g.
client1-site1 <--> vpn-on-site1 <--tun1--> vpn-on-site2 <--> service1-on-site2
client2-site1 <--> vpn-on-site1 <--tun2--> vpn-on-site2 <--> service2-on-site2
Note that there is only 1 vpn node on each side. What we manage to do is for packets to be routed properly from client2-site1 to service2-on-site2 but the returning packets go sometimes to tun1...
you need ip rules + iptables and ip route tables. 2 route tables:
When packet is received on tun1 -> iptables mangle mark it as 0x1, then ip rule routes it via mark 0x1 to the 1st route table. So when answer will be given packet would go via interface it was received, not default one.
Same logic for tun2.
I dont know, if this helps, but try also with rp_filter=0 (this kernel option to answer on interface packet was received, helps with LAN's)
I've done something similar, here is article ive found and repost on my old lj. Haven`t found source yet.
check this article, ive reposted on lj