[Swan] Failover struggles

John Crisp jcrisp at safeandsoundit.co.uk
Thu Nov 23 23:44:13 UTC 2017 

Hi,

I've been trying to get a failover setup running but can't get anything
reliable.

To explain.

I have a Libreswan server.

I have a Endian client using Strongswan.

The Endian box has two uplinks, one static and the backup double natted
DHCP (Yuck)

The connections use certificates. I have the following Libre configs
(I've tried to leave out irrelevances)



conn LibreToDHCP
    type=tunnel
    authby=rsasig
    leftrsasigkey=%fromcert
    rightrsasigkey=%fromcert
    leftcert="LibreBackup"
    rightcert="Endian"
    auto=add
    dpdaction=clear
    dpddelay=10
    dpdtimeout=5
    left=%defaultroute
    leftid=%fromcert
    leftsourceip=192.168.100.1
    leftsubnet=192.168.100.0/24
    right=%any
    rightid=%fromcert
    rightsubnet=192.168.101.0/24


conn LibreToMain
    type=tunnel
    authby=rsasig
    leftrsasigkey=%cert
    rightrsasigkey=%cert
    leftcert="LibreMain"
    rightcert="Endian"
    auto=add
    dpdaction=restart
    dpddelay=30
    dpdtimeout=10
    left=%defaultroute
    leftid=%fromcert
    leftsourceip=192.168.100.1
    leftsubnet=192.168.100.0/24
    right=1.2.3.4
    rightid=%fromcert
    rightsubnet=192.168.101.0/24

Clearly the Libre server cannot connect itself to the double natted DHCP
connection so I have left both connections as auto=add and tried to
leave Endian to handle starting the connections.

When the main link fails it brings up the backup. However, the each
Endian ipsec connection has a specified uplink and doesn't failover, so
I have one connection configured for Main and one for DHCP. on the basis
one will disconnect and the other connect.

The Endian box seems to only use one cert for outgoing connections I
could be all wrong here)

No matter what combination of id/cert that I use, the Endian box
struggles to failover from Main to DHCP

Examples of failures as I try different settings:

cannot install eroute -- it is in use for "LibreToMain" etc.
Peer public key SubjectAltName does not match peer ID for this connection
X509: CERT payload does not match connection ID


Ideally the connection would drop Main after a period, and then allow
the DHCP connection. I can get either working manually by stopping and
starting things a few times, but would love to have it failover
automatically without my intervention, and then revert when the uplink
returns.

Any suggestions on a workable set of settings (if possible) would be
gratefully received !

B. Rgds
John

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20171124/2c7e1ed4/attachment.sig>

More information about the Swan mailing list