[Swan] Failover between VPNs going to the same subnet.

[François]

Hi Paul,

I get the first part to be able to avoid conflicts using mark=, and use 
DPD and _updown scripts to switch from one tunnel to another if needed.

Question is what exactly I should do in the _updown script to switch 
routing to secondary tunnel?

Also, do you mean KLIPS is dead? It was my best hope!

Thanks,
François.


On 2016-01-14 20:28, Paul Wouters wrote:
> On Thu, 14 Jan 2016, François wrote:
>
>> My "destination" server has two WANs, and I want to create two ipsec 
>> tunnels from the "source" to each of these WANs, and have failover in 
>> case one of the destination WANs goes down. The src and dst subnets 
>> would be the same in both tunnels.
>>
>> I was wondering what would be the recommended way to configure this 
>> type of failover. Ideally both tunnels would be connected, and if one 
>> goes down the secondary tunnel would take over immediatly while the 
>> first tunnel tries to reconnect (with dead-peer-detection or similar).
>
> You can use the new mark= option to install identical IPsec SA's without
> these conflicting. Use DPD to ensure broken tunnels are torn down should
> then cause the failover to the other IPsec SA.
>
> This might still need some support in _updown.netkey.
>
>> Maybe some external script could detect failures and quickly change 
>> routes. I'm using NETKEY tho, so not sure if it can be done with "ip 
>> xfrm" and such tools. Would I have to switch to KLIPS to have this 
>> type of flexibility (being able to use "ip route" tools instead)?
>
> No, don't use ip xfrm directly or KLIPS.
>
> Paul