[Swan] libreswan VPN as auto failover from dead static route

Paul Wouters paul at nohats.ca
Mon May 21 17:16:33 UTC 2018


On Sat, 19 May 2018, Dale Dellutri wrote:

> I am running libreswan version 3.20 release 5.el7_4 on CentOS 7,
> and I have established a VPN to a remote office.  There is also a
> dedicated line and a static route on another server to this same
> office.  We prefer to use the dedicated line.
>
> If both the static route and the VPN were in the same server, would
> there be any way to set up the VPN to automatically take over traffic
> from the static route if the dedicated line dies?

Yes. You can configure the IPsec SA's with different MARK's. That way,
both IPsec SA's for the same address ranges can be installed in the
kernel. It is then your job to ensure proper marking happens for
the traffic to flow through the proper IPsec SA. You might be able
to do this by setting up each conn with its own VTI device. Then
you only need to change routing to the proper device to send it over
the proper IPsec SA.

> If these were two static routes, I could simply have one, designated
> as a secondary, float above the primary; that is, make the secondary
> have a higher metric (administrative distance?) than the primary.
> But I can't even find the VPN route in the route table, so I don't
> even know how to mark the routes so that the VPN route floats above
> the static route.  The VPN route does not show up in
>  # ip route show
> Where are the VPN routes kept in CentOS 7?

You should be able to do that with VTI.

Note that the VTI kernel code has some limitations, such as you cannot
have more then one VTI device that does not have an explicit remote IP.
(that is, you cannot have both remote endpoints on dynamic IP addresses)

Paul


More information about the Swan mailing list