[Swan] Help with failover

Paul Wouters paul at nohats.ca
Tue Apr 11 20:12:27 UTC 2017 

https://libreswan.org/wiki/High_Availability_/_Failover_VPN_in_AWS_using_libreswan

Or look at VTI 

https://libreswan.org/wiki/Route-based_VPN_using_VTI

Sent from my iPhone

> On Apr 11, 2017, at 15:41, Eduardo Oliveira <eduardo.oliveira at gerencianet.com.br> wrote:
> 
> Hi all,
> 
> 
> I'm trying to create a connection between my local and AWS VPC with failover or HA using libreswan, but I don't know how to do it. 
> 
> 
> Try #1: Just create 2 tunnels, up both and wait the success. Fail.
> 
> When I up the tunnel 1, works well. But the second tunnel fails because it is not possible add 2 routes to the same subnet at the same time. Log: 
> 
> 
> 117 "aws-t2" #5: STATE_QUICK_I1: initiate
> 003 "aws-t2" #5: cannot install eroute -- it is in use for "aws-t1" #3
> 032 "aws-t2" #5: STATE_QUICK_I1: internal error
> 
> Try #2: use the "overlapip" and "metric" option. In my brain would work because both tunnels with equal routes, but with different metrics. Fail.
> When both tunnels was up, the packages up using one tunnel and down using another. I don't know why but the packages was not forwarded.
> 
> 
> 
> 
> 
> Try #3: find some feature to config a failover. When one tunnel downs, the other up. Fail.
> 
> I didn't find how to do this.
> 
> 
> 
> Can someone help me?
> 
> 
> 
> =================================
> 
> Config files:
> 
> ------ Try #1 ---------
> 
> conn aws-t1
>         authby=secret
>         auto=start
>         left=%defaultroute
>         leftid=LOCAL_IP_1
>         right=AWS_Peer_1
>         type=tunnel
>         ikelifetime=8h
>         keylife=1h
>         phase2alg=aes128-sha1;modp1024
>         ike=aes128-sha1;modp1024
>         auth=esp
>         keyingtries=%forever
>         keyexchange=ike
>         leftsubnet=0.0.0.0/0
>         rightsubnet=172.21.0.0/16
>         dpddelay=5
>         dpdtimeout=10
>         dpdaction=restart_by_peer
> conn aws-t2
>         authby=secret
>         auto=start
>         left=%defaultroute
>         leftid=LOCAL_IP_1
>         right=AWS_Peer_2
>         type=tunnel
>         ikelifetime=8h
>         keylife=1h
>         phase2alg=aes128-sha1;modp1024
>         ike=aes128-sha1;modp1024
>         auth=esp
>         keyingtries=%forever
>         keyexchange=ike
>         leftsubnet=0.0.0.0/0
>         rightsubnet=172.21.0.0/16
>         dpddelay=5
>         dpdtimeout=10
>         dpdaction=restart_by_peer
> 
> 
> ------ Try #2 ---------
> 
> conn aws-t1
>         [...]  # Same of try #1
>         metric=1
>         overlapip=yes
>         
> conn aws-t2
>         [...] # Same of try #1        
>         metric=2
>         overlapip=yes
> 
> --
> 
> Eduardo Fontinelle 
> 
> 
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170411/6b9ad100/attachment.html>

More information about the Swan mailing list