[Swan] Help with failover
Paul Wouters
paul at nohats.ca
Tue Apr 11 20:12:27 UTC 2017
https://libreswan.org/wiki/High_Availability_/_Failover_VPN_in_AWS_using_libreswan
Or look at VTI
https://libreswan.org/wiki/Route-based_VPN_using_VTI
Sent from my iPhone
> On Apr 11, 2017, at 15:41, Eduardo Oliveira <eduardo.oliveira at gerencianet.com.br> wrote:
>
> Hi all,
>
>
> I'm trying to create a connection between my local and AWS VPC with failover or HA using libreswan, but I don't know how to do it.
>
>
> Try #1: Just create 2 tunnels, up both and wait the success. Fail.
>
> When I up the tunnel 1, works well. But the second tunnel fails because it is not possible add 2 routes to the same subnet at the same time. Log:
>
>
> 117 "aws-t2" #5: STATE_QUICK_I1: initiate
> 003 "aws-t2" #5: cannot install eroute -- it is in use for "aws-t1" #3
> 032 "aws-t2" #5: STATE_QUICK_I1: internal error
>
> Try #2: use the "overlapip" and "metric" option. In my brain would work because both tunnels with equal routes, but with different metrics. Fail.
> When both tunnels was up, the packages up using one tunnel and down using another. I don't know why but the packages was not forwarded.
>
>
>
>
>
> Try #3: find some feature to config a failover. When one tunnel downs, the other up. Fail.
>
> I didn't find how to do this.
>
>
>
> Can someone help me?
>
>
>
> =================================
>
> Config files:
>
> ------ Try #1 ---------
>
> conn aws-t1
> authby=secret
> auto=start
> left=%defaultroute
> leftid=LOCAL_IP_1
> right=AWS_Peer_1
> type=tunnel
> ikelifetime=8h
> keylife=1h
> phase2alg=aes128-sha1;modp1024
> ike=aes128-sha1;modp1024
> auth=esp
> keyingtries=%forever
> keyexchange=ike
> leftsubnet=0.0.0.0/0
> rightsubnet=172.21.0.0/16
> dpddelay=5
> dpdtimeout=10
> dpdaction=restart_by_peer
> conn aws-t2
> authby=secret
> auto=start
> left=%defaultroute
> leftid=LOCAL_IP_1
> right=AWS_Peer_2
> type=tunnel
> ikelifetime=8h
> keylife=1h
> phase2alg=aes128-sha1;modp1024
> ike=aes128-sha1;modp1024
> auth=esp
> keyingtries=%forever
> keyexchange=ike
> leftsubnet=0.0.0.0/0
> rightsubnet=172.21.0.0/16
> dpddelay=5
> dpdtimeout=10
> dpdaction=restart_by_peer
>
>
> ------ Try #2 ---------
>
> conn aws-t1
> [...] # Same of try #1
> metric=1
> overlapip=yes
>
> conn aws-t2
> [...] # Same of try #1
> metric=2
> overlapip=yes
>
> --
>
> Eduardo Fontinelle
>
>
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20170411/6b9ad100/attachment.html>
More information about the Swan
mailing list