[Swan] Failover between VPNs going to the same subnet.
Paul Wouters
paul at nohats.ca
Thu Jan 14 19:28:36 UTC 2016
On Thu, 14 Jan 2016, François wrote:
> My "destination" server has two WANs, and I want to create two ipsec tunnels
> from the "source" to each of these WANs, and have failover in case one of the
> destination WANs goes down. The src and dst subnets would be the same in both
> tunnels.
>
> I was wondering what would be the recommended way to configure this type of
> failover. Ideally both tunnels would be connected, and if one goes down the
> secondary tunnel would take over immediatly while the first tunnel tries to
> reconnect (with dead-peer-detection or similar).
You can use the new mark= option to install identical IPsec SA's without
these conflicting. Use DPD to ensure broken tunnels are torn down should
then cause the failover to the other IPsec SA.
This might still need some support in _updown.netkey.
> Maybe some external script could detect failures and quickly change routes.
> I'm using NETKEY tho, so not sure if it can be done with "ip xfrm" and such
> tools. Would I have to switch to KLIPS to have this type of flexibility
> (being able to use "ip route" tools instead)?
No, don't use ip xfrm directly or KLIPS.
Paul
More information about the Swan
mailing list