[Swan] Help with failover
Eduardo Oliveira
eduardo.oliveira at gerencianet.com.br
Tue Apr 11 19:41:38 UTC 2017
Hi all,
I'm trying to create a connection between my local and AWS VPC with failover or HA using libreswan, but I don't know how to do it.
Try #1: Just create 2 tunnels, up both and wait the success. Fail.
When I up the tunnel 1, works well. But the second tunnel fails because it is not possible add 2 routes to the same subnet at the same time. Log:
117 "aws-t2" #5: STATE_QUICK_I1: initiate
003 "aws-t2" #5: cannot install eroute -- it is in use for "aws-t1" #3
032 "aws-t2" #5: STATE_QUICK_I1: internal error
Try #2: use the "overlapip" and "metric" option. In my brain would work because both tunnels with equal routes, but with different metrics. Fail.
When both tunnels was up, the packages up using one tunnel and down using another. I don't know why but the packages was not forwarded.
Try #3: find some feature to config a failover. When one tunnel downs, the other up. Fail.
I didn't find how to do this.
Can someone help me?
=================================
Config files:
------ Try #1 ---------
conn aws-t1
authby=secret
auto=start
left=%defaultroute
leftid=LOCAL_IP_1
right=AWS_Peer_1
type=tunnel
ikelifetime=8h
keylife=1h
phase2alg=aes128-sha1;modp1024
ike=aes128-sha1;modp1024
auth=esp
keyingtries=%forever
keyexchange=ike
leftsubnet=0.0.0.0/0
rightsubnet=172.21.0.0/16
dpddelay=5
dpdtimeout=10
dpdaction=restart_by_peer
conn aws-t2
authby=secret
auto=start
left=%defaultroute
leftid=LOCAL_IP_1
right=AWS_Peer_2
type=tunnel
ikelifetime=8h
keylife=1h
phase2alg=aes128-sha1;modp1024
ike=aes128-sha1;modp1024
auth=esp
keyingtries=%forever
keyexchange=ike
leftsubnet=0.0.0.0/0
rightsubnet=172.21.0.0/16
dpddelay=5
dpdtimeout=10
dpdaction=restart_by_peer
------ Try #2 ---------
conn aws-t1
[...] # Same of try #1
metric=1
overlapip=yes
conn aws-t2
[...] # Same of try #1
metric=2
overlapip=yes
--
Eduardo Fontinelle
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170411/68933fb1/attachment.html>
More information about the Swan
mailing list