[Swan] Failover VPN subnet to subnet using different links

antonio asilva at wirelessmundi.com
Mon Jul 17 14:13:21 EEST 2023 

Hi,

I finally did it with  4 tunnels and configured routing rules to reach each side.

Tunel1: host - subnet 
 192.168.100.1 <--> 192.168.200.1 subnet:  172.16.10.0/24

Tunel2: host - subnet 
 192.168.300.1 <--> 192.168.400.1 subnet:  172.16.10.0/24

Tunel3: subnet - host 
192.168.100.1 subnet 172.16.20.0/24  <--> 192.168.200.1

Tunel4: subnet - host 
192.168.300.1 subnet 172.16.20.0/24  <--> 192.168.400.1


I did a bash script that detects the status of the connection and set the routing rule on failure/success. 

To avoid having an external monitoring script, Is it possible to have all the simultaneous connections and only with DPD + priority to handle the availability of the connection?


Thanks. 

—
Saludos / Regards / Cumprimentos
António Silva

> On 13 Jul 2023, at 17:11, antonio <asilva at wirelessmundi.com> wrote:
> 
> Hi,
> 
> I’m trying to establish a failover vpn using different links but same subnets:
> 
> Tunnel1: 192.168.100.1 <--> 192.168.200.1
>     172.16.20.0/24 <--> 172.16.10.0/24
> 
> Tunnel1:  192.168.300.1 <--> 192.168.400.1
>      172.16.20.0/24 <--> 172.16.10.0/24
> 
> 
> If tunnel1 is down the traffic between the subnets will got via tunnel2, and when tunnel1 is up again, the traffic will go via tunnel1. 
>  
> 
> But, when the second tunnel is up I got the error message:
> 
> Jul 13 12:45:14 vm pluto[15813]: "tunnel2" #13: cannot install kernel policy -- it is in use for "tunnel1"
> Jul 13 12:45:14 vm pluto[15813]: "tunnel2" #13: state transition function for STATE_QUICK_R0 had internal error
> 
> 
> My configuration is:
> 
> conn tunnel1
>     pfs=no
>     type=tunnel
>     auto=start
>     ikev2=no
>     phase2=esp
>     authby=secret
>     keyingtries=3
>     ikelifetime=8h
>     salifetime=8h
>     left=192.168.100.1
>     leftsubnet=172.16.20.0/24
>     leftid=192.168.100.1
>     right=192.168.200.1
>     rightsubnet=172.16.10.0/24
>     rightid=192.168.200.1
>     dpddelay=30
>     dpdtimeout=60
>     dpdaction=hold
> 
> conn tunnel2
>     pfs=no
>     type=tunnel
>     auto=start
>     ikev2=no
>     phase2=esp
>     authby=secret
>     keyingtries=3
>     ikelifetime=8h
>     salifetime=8h
>     left=192.168.300.1
>     leftsubnet=172.16.20.0/24
>     leftid=192.168.300.1
>     right=192.168.400.1
>     rightsubnet=172.16.10.0/24
>     rightid=192.168.400.1
>     dpddelay=30
>     dpdtimeout=60
>     dpdaction=hold
> 
> 
> I try libreswan git version, setting different priority in the configuration, but got the same result, the second tunnel is not up. 
> I installed from a Debian package using make deb. 
> 
> Can’t it be done? Or I should avoid this setup and use routing base vpn? 
> 
> 
> Thanks 
> 
> 
>> Saludos / Regards / Cumprimentos
> António Silva
> 
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20230717/f60964a0/attachment.htm>

More information about the Swan mailing list